Introducing the McAfee Command Line Scanner Project

After many weeks of research and experimentation, I am releasing the McAfee Command Line Scanner Project (MCLSP) as my first free tool. This project contains everything you need to build a custom live Ubuntu Linux distribution (distro) that runs the McAfee Windows A/V Command Line Scanner. For many years I used the BartPE tools to build bootable Windows CD/DVD’s to perform McAfee A/V scans. I got tired of BSOD’s caused by missing or incorrect drivers. So – I built a better malware fighting tool based on Linux.

As an emergency incident responder, I quite often encounter malware that is so pervasive there is no efficient way to eradicate it with the host Windows OS running. Scanning in Safe-Mode usually doesn’t work in these situations either.  With the MCLSP you can create a live Ubuntu ISO that will boot a Windows host in Linux and automatically scan all FAT/NTFS volumes for malware.  Windows is nowhere to be found.

I have written extensive documentation for Linux pros and newbies alike. You can download the tool and the docs on the Free Tools page.

Remember – the correct way to remediate a compromised computer is to re-image. When that is not feasible – consider a thorough A/V scan using this tool. Please let me know how the tool works for you and what improvements you would like to see.

How ironic is it that you need Linux to correctly remediate a compromised Windows box?

NOTE: This project is not affiliated with McAfee. It respects all licenses. trademarks, copyrights, patents, and intellectual property of McAfee, Inc. of Santa Clara, CA. You are expected to do the same.

8 Responses to “Introducing the McAfee Command Line Scanner Project”

  • Stephen says:

    Are there any plans to create a true LiveCD with this project so that the current DAT files will be pulled and used instead of having to build a new CD with the most current DAT files; like so many of the other vendors?

    • mspohn says:

      Hi Stephen,

      If the host you boot with the live CD/DVD or thumb drive is connected to the Internet, then by default, the latest McAfee DAT will be downloaded from the McAfee ftp site. If you look in the av_config.ini file in the /home/mcafee folder on the distro, you will see a [DAT] section. If autodownload=1, then the DAT gets downloaded and installed prior to any scans.

      This feature means you can burn an ISO to a bootable media once and continue to use it.

      If you take a quick look a the User’s Guide, you will see there are a lot of configuration features that make your life easier. For example, you can configure the tool to download files from an SMB share at boot time. This means you can post EXTRA.DAT’s, and custom av_config.ini, and av_options.txt files on a share and not have to keep rebuilding an ISO.

      Thanks for your interest in the MCLSP. I really appreciate your feedback.

      M. Spohn

      • Stephen says:

        I should have read the documentation first, I see that now. Thanks. I did however run into a snag running the shroot.sh script. It was chugging along doing it’s thing and then popped up with a Microsoft EULA for the tff-mscorefonts-installer.

        Doesn’t allow me to click the OK, hit the enter or escape form it at all.

        • mspohn says:

          This is confusing I know. There are no mouse drivers loaded so you have to use the Tab key to move the cursor to the Accept button. Then you should be good to go.

          MGS

  • Stephen says:

    Doh! Thank You. FYI – I did have to change the location in the chroot.sh file for Wine because Sourceforge has a new location for that cab.

  • Stephen says:

    Everything completed, but the size of my iso is 733.6Mb so I’m going to have to go through it again and see if I can remove more stuff to make it fit on a CD.

    • mspohn says:

      The recent addition of a MS font package to Wine has increased (dramatically) the size of the package. I just disovered this last week. The short answer is to answer ‘No’ to the MS Eula agreement on the screen you struggled with. This will remove the font package from the install and bring the ISO back down below 700MB. The font packages are not needed. This only has to be done if you must have the image burned to a tradional CD. This is usually required on older hardware that do not have DVD drives.

      If you want to remove the font packages manually after the complete wine1.2 package installs, add the following line to chroot.sh just after the line ‘apt-get install wine1.2’:
      apt-get -y purge ttf-umefont

      I am updating the project to provide a pre-configured wine .deb package so it no longer has to depend on downloading a constantly changing Wine package. I will upload this as soon as I can.

      Thanks again for your interest in this project.

      MGS

      • Stephen says:

        Funny, that’s exactly what I did (Remove the fonts) only I did it manually from the terminal. (Doing is the best teacher – Not bad for a Linux newbie).

        At the end of chroot.sh the following msg appears – not sure if this is expected and/or critical. it does create the inittramfs and complete all tasks though.

        cryptsetup: WARNING: could not determine root device from /etc/fstab

        Is there an email address I can contact you at? I made a couple of notations to your document of differences I found along the way and I wanted you to have it.

Leave a Reply