[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!

[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services

[Successor to CentOS] AlmaLinux OS server construction/migration service

[For WordPress only] Cloud server “Web Speed”

[Cheap] Website security automatic diagnosis “Quick Scanner”

[Reservation system development] EDISONE customization development service

[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”

[Compatible with over 200 countries] Global eSIM “Beyond SIM”

[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”

[Global exclusive service] Beyond's MSP in North America and China

[YouTube] Beyond official channel “Biyomaru Channel”

Kaspersky released an OSS antivirus tool so I tried it (Kaspersky Virus Removal Tool for Linux)

2024.11.01

Infrastructure related

Hello.
the morning and
the system solutions department is running out of memory.

I was recently looking for a good OSS antivirus software product, and
the famous Kaspersky company released a tool called " Kaspersky Virus Removal Tool for Linux " around June, and I was interested. So, I would like to write an article about what I briefly verified as a memorandum.

download

■Verification environment

Ubuntu 24.04 LTS Kaspersky Virus Removal Tool 24.0.5.0

Please try downloading it from below.
https://www.kaspersky.com/downloads/free-virus-removal-tool

Basically, it's ok if you follow the official procedure.
It is convenient because it is executed every time, so no installation is required.
https://support.kaspersky.com/help/kvrt/2024/en-us/269465.htm

After downloading from the browser, change the permissions and try running it.
First, the pattern to be executed from the GUI.

$ cd ~/Downloads $ chmod +x kvrt.run $ ./kvrt.run Running with root privileges Generated directory is</tmp/9d208c686fe9d56312596> Verifying archive integrity... 100% SHA256 checksums are OK. All good. Uncompressing Kaspersky Virus Removal Tool 24.0.5.0 for Linux 100% ===================== =========== Running kvrt with args <> ================================= compver: 24.0.5.0 x86-64 (Jul 9 2024 17:36:48) Product folder ----------------------------

▼ The terms of use will be displayed, so if you can confirm each, check the box and proceed to the next step.

▼ The first time, the version information will be displayed, so if you can confirm it, press CLose and immediately click [Start Scan].

▼ Wait while the scan is executed. This time I ran it with a clean image, so nothing was detected.

This tool can only be run spot-on, and does not have real-time scanning capabilities.
If you want to run it manually, there is no problem using the GUI, but if you want to run it periodically, it is recommended to put it in cron and run it via CLI.

Next time I will try it via CLI.

Performed via CLI

First of all, help.
https://support.kaspersky.com/help/kvrt/2024/en-us/269475.htm

-h - show help -d<folder_path> - path to quarantine and reports folder -accepteula - accept EULA, Privacy Policy and KSN Statement -trace - enable trace collection -tracelevel<level> - set the level of traces: ERR - only error messages WRN - warnings and errors INF - information, warnings and errors DBG - all messages -processlevel<level> - set the level of danger of object which will be neutralized: 0 - skip objects with high, medium and low danger level 1 - neutralize objects with high danger level 2 - neutralize objects with high and medium danger level 3 - neutralize objects with high, medium and low danger level -dontencrypt - disable encryption of trace files/reports/dump files -details - enable detailed reports -proxyconfig<config_file_path> - path to file with proxy config -silent - run scan without GUI -adinsilent - run active disinfection in silent mode -allvolumes - add all volumes to scan -custom<folder_path> -path to custom folder for scan -customlist<file_path> -path to file with custom folders for scan -exclude<folder_path> -exclude path from custom scan -excludelist<file_path> - path to file with excludes for custom scan -customonly - run scan of custom folders only

I'll try running it with minimal options.

-silent prevents GUI from starting.
-accepteula to skip the convention.

$ ./kvrt.run -- -silent -accepteula Graphical mode is<wayland> localuser:root being added to access control list Running with root privileges Generated directory is</tmp/92302b5bca4f82e716374> Verifying archive integrity... 100% SHA256 checksums are OK. All good. Uncompressing Kaspersky Virus Removal Tool 24.0.5.0 for Linux 100% ===================== =========== Running kvrt with args <-trace -silent -accepteula> =========================== ====== compver: 24.0.5.0 x86-64 (Jul 9 2024 17:36:48) Product folder ======================== ========= Scan is started ================================= ===== ============================ Scan is finished with results: Processed: 27957 Processing errors: 0 Detected: 0 Password protected: 0 Corrupted: 0 ================================================= ================= kvrt exited with code <0> ========================== ======= localuser:root being removed from access control list

Just like when running the GUI, nothing was detected.

Try to detect malware

Next, let's detect malware.
As preparation, download the file below from the eicar site (under ./Downloads).
https://www.eicar.org/download-anti-malware-testfile/

▼ Place the eicar file under Downloads.

$ ls -l total 151296 -rw-rw-r-- 1 hamchan hamchan 68 Oct 29 10:26 eicar.com -rw-rw-r-- 1 hamchan hamchan 184 Oct 28 14:01 eicar_com.zip

This time, I will specify the folder under Downloads and run it.

-trace Enable tracing.
-tracelevel Set to "DEBUG" to output all event logs.
-custom Specify the inspection directory.
-processlevel This time, set it to 3 to detect all threats in the low to high range.

 ./kvrt.run -- -accepteula -trace -tracelevel DBG -custom /home/hamchan/Downloads/ -processlevel 3 -silent Graphical mode is<wayland> localuser:root being added to access control list Running with root privileges Generated directory is</tmp/74a8bcf3a3339fc810150> Verifying archive integrity... 100% SHA256 checksums are OK. All good. Uncompressing Kaspersky Virus Removal Tool 24.0.5.0 for Linux 100% ===================== =========== Running kvrt with args <-accepteula -trace -tracelevel DBG -custom /home/hamchan/Downloads/ -processlevel 3 -silent> ============ ===================== compver: 24.0.5.0 x86-64 (Jul 9 2024 17:36:48) Product folder ========= ======================== Scan is started ======================= ========== Threat<EICAR-Test-File> is detected on object</home/hamchan/Downloads/eicar.com> Threat<EICAR-Test-File> is detected on object</home/hamchan/Downloads/eicar_com.zip> ================================= Scan is finished with results: Processed: 27961 Processing errors: 0 Detected: 2 Password protected: 0 Corrupted: 0 ================================= Action<Cure> is selected for threat<EICAR-Test-File> on object</home/hamchan/Downloads/eicar.com> Action<Cure> is selected for threat<EICAR-Test-File> on object</home/hamchan/Downloads/eicar_com.zip> ================================= Disinfection is started ============== =================== Disinfection action<Quarantine> for threat<EICAR-Test-File> on object</home/hamchan/Downloads/eicar.com> is finished with status<Quarantined> Disinfection action<Quarantine> for threat<EICAR-Test-File> on object</home/hamchan/Downloads/eicar_com.zip> is finished with status<Quarantined> Disinfection action<Cure> for threat<EICAR-Test-File> on object</home/hamchan/Downloads/eicar.com> is finished with status<CureFailed> Disinfection action<Cure> for threat<EICAR-Test-File> on object</home/hamchan/Downloads/eicar_com.zip> is finished with status<CureFailed> Disinfection action<Delete> for threat<EICAR-Test-File> on object</home/hamchan/Downloads/eicar.com> is finished with status<Deleted> Disinfection action<Delete> for threat<EICAR-Test-File> on object</home/hamchan/Downloads/eicar_com.zip> is finished with status<Deleted> ================================= Disinfection is finished with results: Processed: 4 Processing errors: 0 Skipped: 0 Quarantined : 2 Quarantine failed: 0 Cured: 0 Cure failed: 2 Cure on reboot: 0 Deleted: 2 Delete on reboot: 0 Restored: 0 Restore on reboot: 0 ================ ================= ================================= kvrt exited with code <0> ================================= localuser:root being removed from access control list

Looking at the log, it seems that the virus was successfully detected and deleted after being quarantined.
Files are also missing from directories.

$ ls -lha drwxr-xr-x 2 hamchan hamchan 4.0K Oct 29 10:49 . drwxr-x--- 17 hamchan hamchan 4.0K Oct 29 10:44 ..

By the way, each time it is executed, the isolated file is saved in the following location (when executed as root).

$ sudo ls -l /var/opt/KVRT2024_Data total 24 drwx------ 2 root root 4096 Oct 28 13:52 Anomalies drwx------ 2 root root 4096 Oct 29 10:45 'Legal notices' drwx------ 4 root root 4096 Oct 29 10:49 Quarantine drwx------ 2 root root 4096 Oct 29 10:45 Reports drwx------ 2 root root 4096 Oct 29 10:49 Temp drwx------ 2 root root 4096 Oct 29 10:45 Traces $ sudo ls -l /var/opt/KVRT2024_Data/Quarantine total 12 drwx------ 2 root root 4096 Oct 29 10:49 KVRTQ0001 drwx------ 2 root root 4096 Oct 29 11:34 KVRTQ0002 drwx------ 2 root root 4096 Oct 29 11:41 KVRTQ0003

If you want to restore files due to excessive detection, etc., you can do so via the GUI.
https://support.kaspersky.com/help/kvrt/2024/en-us/269476.htm
▼ Select a file from the list and restore it to the original directory.

The above is simple compared to the software provided for a fee, but
since it can do so much with OSS and is relatively light to operate, I think it would be quite useful for personal use.
It seems that Microsoft has recently released a tool for Linux, so I would like to check it out if I have time.

complete

If you found this article helpful , please give it a like!