having been able to find much on this forum about it, but hopefully someone can help me out
i've mounted a file system as a physical drive on my system, but because of the read-only nature, I am unable to do anything regarding file permissions so that my anti-virus scan will work
I would like to figure out a way that I can keep everything quick and simple, a way to change the permissions so that I have unrestricted access to manipulate the file system enough to run the scan (this goes the same for with a write blocker although having tried a couple different ways of getting around it theres simply no way I've found to view the file system in windows without a forensic tool like encase/xways/ftk).
Last resort (and what I'm probably going to do now) is to restore the image to disk and then just scan it that way, but I'd like to find a way to avoid that in the future.
cheers
So you mounted a file system that is infected and want AV to clean it? Am I reading that right?
Regardless, I'd be careful with that - even though it's read only that doesn't prevent malware compromising your host system.
Maybe I'm not following things here, but why do you need to modify permissions to scan the file system? Are you attempting to clean/quarantine the file system, as well?
Convert the image to a vmdk file and run the anti-virus scan in VMWare. Then, you will know which files are infected.
The problem with changing the permissions on a live system is that the OS will have to access all the files in the directories which you want to run the anti-virus software on, thereby in all likelihood infecting the computer you're scanning from.
Though I follow my noble colleagues' lack of understanding of why permissions need to be changed.
Regardless, you can use FTK imager (free) to mount your image file.
There is a check box in the Mount window. It will allow you mount the image - writable.
It will create a delta file filename.D01 and will write any changes made to the image in that D01 file.
When you unmount, your image will still be pristine and will not have changed.
Hope that helps.
If you want to explain more what you are doing, feel free and we'll see what else we can recommend.
i've mounted a file system as a physical drive on my system, but because of the read-only nature, I am unable to do anything regarding file permissions so that my anti-virus scan will work
How have you mounted it? The solutions I know and use allow an administrator to take ownership of the files in the usual manner, which gives you full access for AV scanning etc..
Have you tried it? What mounting solution are you using?
Thanks guys
I think I tried mounting it with write access but it was playing up. Will try it again
I was under the impression the av scan would work regardless of permission but checking the log came up with a whole bunch of "file skipped" and "password protected" errors, and all of those files were effectively locked by user permissions. The reason I need to do it is to Ted for potential malware, not really clean the system
I don't mind the potential infection risk because I can secure the particular system and then wipe it clean when it's done.
Will try the FTK write able mount
May also try a combination of sift, av and a mounted dd image
If you have XWays, there is a function for AV scan in there. You set your exam workstation A/V system to monitor a specific temp folder and start the function - it will run the files out of the image into the temp folder for AV review.
Okay, if you really want to (you may have to have the password for a particular directory, depending on the level of security originally set to that folder)
http//
http//
http//