best virus scanning/removal tool for use in PE

Here is a whole bunch of Antivir scripts that i redid or found that all seem to work.

Nice collection, thanks for sharing
Eset Sysrescue 6.0.306, I tried without success but I have not looked further the batchs.
It would require, I believe, some adjustments, it lacks an End, so with the indentation there is a problem with the interface.
Dependencies seem to be written but commented, to replace, it needs, indeed, "add cmd" scripts.

my idea for av things is, providing an easy way to download & update & inform .... ,
  maybe a simple plugin, having some different av options,

It would be nice, indeed 
Not really easy to do something standard. Every AV , malware tools has different specificity.
I have some ideas on it, after writing ESETsmartinstallerStarter, but I also lack of time 
May be good to open a topic on it.

By cons, I have no problems with the update in VMware (I have 1,5MB of Ram) :

Code: [Select]

The database was sucessfully updated from version v0.00.00.00 to
version v2013.02.22.02.

I have 1.5GB of RAM in Virtual Box and the update doesn't work. Maybe I should try 1.5MB? 

But even with the update, MBAM still does not work for me, it scan only the X: drive

I still can't get that far.

I have 1.5GB of RAM in Virtual Box and the update doesn't work. Maybe I should try 1.5MB? 

Tested here with the standard w7pese build x64 with ieframe.dll added in Wow64, just added MBAM.
VMware with a little over 1.5 MB and Win7 x86 sp1 installed.
The scan takes only 2 mn10 without looking at only one files on C:
 mbam-log-2013-02-22 (12-25-14).txt (1.81 kB - downloaded 182 times.)

I will have to look at ieframe.dll, I may not have that.

Where did the icon for MalwareBytes on your sekdtop come from?

I will have to look at ieframe.dll, I may not have that.

Is that we have the same MBAM script (Author=Homes32, Version=11 of 01-04-12)

It also lacks mshtml.dll in Wow64 for x64 build
Set,%PluginArch%,x86
Require_FileQ,ieframe.dll
Require_FileQ,mshtml.dll

After updating the keys are written on runscanner's SOFTWARE_ON_C
it does not seem to take into account HKLM\Software\Malwarebytes' Anti-Malware keys (File corrupted after updating offline may be related)

Code: [Select]

[HKEY_LOCAL_MACHINE\SOFTWARE_ON_C\Malwarebytes' Anti-Malware]
"advancedheuristics"=dword:00000001
"downloadprogram"=dword:00000001
"hidereg"=dword:00000000
"detectp2p"=dword:00000000
"detectpum"=dword:00000001
"detectpup"=dword:00000002
"updatewarn"=dword:00000001
"updatewarndays"=dword:00000007
"useproxy"=dword:00000000
"useauthentication"=dword:00000000
"contextmenu"=dword:00000001
"reportthreats"=dword:00000001
"startwithwindows"=dword:00000001
"startfsdisabled"=dword:00000000
"startipdisabled"=dword:00000000
"silentipmode"=dword:00000000
"autoquarantine"=dword:00000001
"notifyinstallprogram"=dword:00000001
"trialpromptshown"=dword:00000000
"autoquarantinenotify"=dword:00000001
"dbversion"="v2013.02.21.11"
"dbdate"="Thu, 21 Feb 2013 22:03:23 GMT"

With Malwarebytes, i think the problem that ChrisR is having is that he is just performing a quickscan, rather than a full scan.  Booted off a 32 gig USB on a live system, these are the pics of the process i took with my crappy iphone1.  Sorry, ive never needed screenshots in a non vmware Pe before.

I had 15 MBAM scripts, and i started with the newer ones and changed the files grabbed and the resulting names until i had a working copy.  I think i ended up with the one Lancelot tweaked, but changed the core program download link from a 20 meg version to 100 meg version.


When i build it, i use the settings that i have in the uploaded script, and download the full program and updates (test is in Win7pe x86).  Make sure to delete the workbench\common\Malwarebytes' Anti-Malware dir on the first run to make sure the files are "proper".

Boot into the Pe on a live system, and using the non runscanner shortcut in the start menu, i get this, and say yes to accept updates.  Yyou obviously need the net working.



Then you should be presented with the scan menu.  I think ChrisR clicked quickscan and only did the X:\ ramdrive.


Click on Full scan, select the drives you want scanned, and it should do them all.  Notice its scanning my c:\ where its my HD movie dump.



I once again have no frameworks, special runtimes, files added, or drivers (besides Lan driverpack).



As for Eset, it works fine in W7x86, you just have to gather a few files first.  Like these :)  http://www.sendspace.com/file/8bl6m0
I was going to repackage the script to include the needed files, but i don't know (yet) how to have embeded files extract to system32.  And different arch, im figuring that out too.  Gathering files is my toughest task.  I generally use overlay directories to copy the needed files to the various builds.




Oh, i will also add, some AV scripts seem to be catered towards actually protecting the WinPE rather than scanning an offline OS.  For this i suggest Avira and the realtime scanner.  It also scans offline.  All the others are tested on a live system, and Win8PEs work with them too, but they throw up the odd error, but still run.  These scripts were just my base for everything i could find, and everything i got to work.  Whatever worked i uploaded.  Also, im petrified to run any of these live on my system.  I do alot of autoit coding and these programs always detect my source code as malware.  If it quarantines it in the ramdisk and i reboot im fucked.

With Malwarebytes, i think the problem that ChrisR is having is that he is just performing a quickscan, rather than a full scan.

Indeed, grrr, the full scan.

It seems that Downloading the rules.ref alone from the cdn will not work because the checksum doesnt match with the database.conf
So, I changed the download using mbam-rules.exe (rules.ref and database.conf), Not completely up to date. Today it downloaded the rules of 2013.02.18 instead of 2013.02.23

I've updated the script v12, there is no longer problem of corrupted  file at startup
 
History012=ChrisR Added Dependencies ieframe.dll, mshtml.dll. Arch x86
History012=ChrisR Runscanner updated 1.0.0.26. Remove the Runscanner /sv switch
History012=ChrisR Auto Download rules with cdn gives a corrupted database. Download and extract mbam-rules.exe now.

I have not tested further and with real X.

Your revised MBR script worked well on w7x86pe. 

Sorry, ive never needed screenshots in a non vmware Pe before.

You can use
Gena\Apps\Supplementary\Graphics\"Fast Stone Capture Free"
via
Win7PESE - Win8PESE -> "Share Scripts"
or Gena\Utils\"Share Scripts"
 

Is that we have the same MBAM script (Author=Homes32, Version=11 of 01-04-12)

I have that version, downloaded form this thread with a few fixups by Lancelot, and with a few further fixups by me. The only one I remember is that line 45:

Code: [Select]

If,EXISTFILE,"%Target_prog%\%ProgramFolder%\mbamext,1.dll",FileDelete,"%Target_prog%\%ProgramFolder%\mbamext,1.dll"
should be:

Code: [Select]

If,EXISTFILE,"%Target_prog%\%ProgramFolder%\mbamext#$c1.dll",FileDelete,"%Target_prog%\%ProgramFolder%\mbamext#$c1.dll"
(code instead of comma). But even without Runscanner it just cycles through download-complain-download forever. I'll have to try running int with Procmon.

Lance: I'm doing just x86 builds for now. No need for more complications!

ABE: OK, I've downloaded the new ChrisR v12 and will try it. It needs the same mods but now on lines 51 and 56.

Lance: I'm doing just x86 builds for now. No need for more complications!

I agree 

for just a single file, above to me looks nice 

after things finish up:
To get syntax more readable & understandable by others/newbies (complications ;))
check
Run,%ScriptFile%,CopyR,
available "PC Innounp" -> TM button (living example: \Apps\Security\"DiskCryptor" )

good luck to all on MBAM hunt   

Here MBAM_M.script v13 with Lancelot Innoup change, JonF comma changes and some code cleanup.

I changed the name so there was no confusion with the original Homes32's version.
Without taking any credit of the work done, changes here are only some minor adjustement in continuation.
Probably related to the latest changes of Malwarebytes.

The best would be that Homes32 take them but I have not seen him for a while.

I agree with the credits Chris, and anything i have contributed so far (besides clamwim and Superantispyware) was usually less than 1% of the overall script.  One thing i did change in the credits was the date, as to verify that it was working as of that day.  Some scripts were more than a year old, but still grab the newest version of the software.  The biggest problem with scripts i find is that the links change.   If i had my name in as the author, feel free to correct it, as it was there for me to distinguish them in my testing. 

Gena is very nice too Lancelot.  I also like the addition of the add packages script in win8pe.  I was just going to suggest that for net4 :)

The biggest problem with scripts i find is that the links change.   If i had my name in as the author, feel free to correct it, as it was there for me to distinguish them in my testing. 

yep, links change, and many other stuff too...
That is the reason we made project servers,
 not only to distribute but also have / keep working plugins 
  yep, harder than chasing "easy money" to distribute "not working plugins" 

As long as people like to share their plugins around  ,
  hopefully in good shape to put servers easly with our limited time

Antivirus plugins was an area we never really focus on much,
 there is limited plugins around TheOven.org , so far following mainly JonF nice care 

I was just going to suggest that for net4 :)

if you mean ".net framework 4" ,
 if so,
 well I feel we have a candidate member "halikus" who will provide a ".net framework 4" plugin soon 

OK, with Chris's new definition update MBAM is working. Still seems weird that it won't download.

I found a site that lists lots of sites with malware: http://www.malwaredomainlist.com/. The most useful lists are at http://www.malwaredomainlist.com/forums/index.php?topic=3270.0.

And now I've downloaded updates twice successfully in VMs. What happened?

Still seems weird that it won't download.

I had the same concerns this morning when downloading update, mbam closes completely Maybe it is only in VM!

Otherwise I have installed a malware in VMware, mbam found it and then remove it successfully
I was not sure with the reboot message at the end, I remade a scan, in the Host Win7 VMware, it was well removed.

Latest Eset_v6.0.308.0_1 works well for me too, now.
It is slow to start but it is nice to have 

It did not work at first with " Volume in drive " and my fr-fr source " Le volume dans le lecteur " in ESET_SysRescue_Loader.bat

Code: [Select]

For /f "tokens=1 delims= " %%a in ('dir %drive%:\ ^2^>^&^1^|findstr /b /i /r /c:" Volume in drive "') do set DriveChecker=%%a
==>
For /f "tokens=1 delims= " %%a in ('dir %drive%:\ ^2^>^&^1^|findstr /i /r /c:" Volume "') do set DriveChecker=%%a

I changed also eav_nt32_enu.msi to eav_nt32_fra.msi for me (it would be better with a FileBox for the msi file).

And a small mod to make it work with or without the slash at the end of the Update Folder pFileBox1 (copy/paste from explorer or button)

Code: [Select]

StrFormat,CTRIM,%pFileBox1%,\,%pFileBox1%
If,ExistDir,%pFileBox1%,Begin
  If,%pCheckBox13%,Equal,True,Begin
    Echo,Adding Updates...
    DirMake,%TargetDir%\%pTextBox1%
    DirCopy,%pFileBox1%\*.nup,%TargetDir%\%pTextBox1%
    DirCopy,%pFileBox1%\*.ver,%TargetDir%\%pTextBox1%
    DirCopy,%pFileBox1%\*32.dat,%TargetDir%\%pTextBox1%
  end
end

I'm seeing an interesting problem with MBAM. I always have it set to run from RAM. If I force all programs into RAM (to get an ISO I can put on a stick and then boot), it always fails to see it's database and won't download.

There are two more tools which can be run from Win7PE and safe mode with command prompt.

Norman malware scanner :  http://www.norman.com/home_and_small_office/trials_downloads/malware_cleaner

Emsisoft Emergency Kit Scanner : http://www.emsisoft.in/en/software/eek/  (Based on Bit defender engine)

There is also "Microsoft's Windows Defender offline" which is good to disinfect ransomware and spywares.