Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus
|
From: Alex N. <ajn...@cs...> - 2014-08-19 15:46:47
|
Fiwalk runs plugins against individual files, not against the entire disk image. For your floppy, is the boot sector being exposed as a virtual file, like a FAT file system's allocation table is exposed as $FAT1 or $FAT2? (Offhand I recall Fiwalk doesn't do this for floppies, but I don't have a floppy handy to test. Fiwalk usually creates all its virtual and non-virtual files starting at the scope of the file system, after the partition table is processed.) If the boot sector isn't exposed as a virtual file, Fiwalk won't clamscan it. Could you post the names of files with a $ at the beginning? The boot sector would be $Boot or something similar if it existed. --Alex On Mon, Aug 18, 2014 at 3:35 PM, Christie Peterson <cpe...@jh...> wrote: > I have some floppy disks known to be infected with the boot sector virus > AntiCMOS.B but when I run ficlam.sh/clamconfig.txt ( > https://github.com/sleuthkit/sleuthkit/tree/master/tools/fiwalk/plugins) against > images of these disks, it returns nothing found. > > > > I’m wondering if this is because of how fiwalk “walks” disk images – would > a malware scan using fiwalk to access the contents of a disk image ever > find something in the boot sector? I’d appreciate any explanation that you > could provide. > > > > Thanks in advance, > > > > > > Christie Peterson > > > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
