I recently ran a virus scan on my Windows partition from Linux. It took six hours and completed overnight. The results were the last thing printed to the terminal. It showed it had scanned some 84 gigabytes of data, and that there were 13 infected files found. As I looked around, I couldn’t find a search function in the terminal, and the scroll bar didn’t even go up far enough. How would I find out which files those were? I ran the scan again, but instead of the clamav -r /media/hd1 of the first time, I used clamav -r /media/hda1 &> clamav.log to dump all the output to file. The scan completed for a second time, and again found 13 infected files. I came to my next problem. How on earth would I find the lines of the infected files out of the 106,064 lines in the log? I tried searching for DETECTED, but that didn’t work. I discovered I should search for FOUND. I wanted to get the lines in a separate file because I could, which was easy with cat clamav.log | grep FOUND &> infected.log. It turned out all of the marked files were part of Warsow, an open source multiplayer FPS. The detected virus was Oversized.Zip. When I googled this, I found that it was because the compression ratio had exceeded some threshold somewhere. The pages often mentioned it in the context of a false positive. I think I just spent 12 hours trawling through my hard drive looking for 13 false positive compressed archives. It was fun, though. I got to use command-line fu. 🙂

Categorized as Software