ShellSpells
  • 🧙‍♂️Welcome!
    • ShellSpells
    • FAQs
    • License & Disclaimer
  • 🐧Linux
    • System Ops
      • Transcripts
      • Help
      • System Info
        • Date/Time
        • System Details
        • Patches & Updates
        • Init System Identification
        • Hostname / Host ID
        • Variables
        • Hardware & Resources
      • Filesystem
        • Traverse & Enumerate
        • Drives & Partitions
        • Shares
        • Packages
        • Connected Devices
        • Kernel Modules (Drivers)
      • Users & Groups
        • Enumerate
        • Modify
      • Network
        • Enumerate
        • Modify
      • Scheduled Jobs
        • Enumerate
        • Modify
      • Processes
        • Enumerate
        • Modify
        • Custom Script and Shared Object
        • Process I/O Redirection
      • Services
        • Enumerate
        • Modify
        • Create a Service
      • Startup/Boot Scripts
        • Enumerate
        • Modify
      • Security
        • Antivirus
        • Firewall
        • SSH Keys
      • History & Logs
        • History
        • Logs
    • File Ops
      • Search
        • Filename
        • Content
        • Users (Owners)
        • Time
        • Size
        • Permission
        • Hidden Files
        • Inode
        • Find + Exec
        • Notes
      • Enumerate Metadata
      • Modify Metadata
      • Read Content
      • Modify Content
      • Extract Content
      • Sort / Compare / Count
      • Move
      • Copy
      • Execute
      • Hash
      • Encode/Decode
      • Compress/Decompress
      • Working With Weird Filenames
    • Terminal Ops
      • Keyboard Shortcuts
      • Tmux Shortcuts
  • 🪟Windows
    • System Ops
      • Transcripts
      • Help
      • System Info
        • One-liners
        • Date/Time
        • System Details
        • Hotfixes
        • Domain or Workgroup
        • Data Execution Prevention
        • Variables
        • Hardware & Resources
      • Filesystem
        • Traverse & Enumerate
        • Drives & Partitions
        • Installed Software
        • Drivers
        • Shares
      • Registry
        • Enumerate
        • Modify
        • Forensically Relevant Keys
      • Users & Groups
        • Enumerate
        • Modify
      • Network
        • Enumerate
        • Modify
      • Scheduled Tasks
      • Processes
        • Enumerate
        • Modify
      • Services
        • Enumerate
        • Modify
      • Autorun / Startup
        • Enumerate
        • Modify
      • Security
        • Permissions
          • Enumerate
          • Page
        • Antivirus
        • Firewall
          • Enumerate
          • Modify
        • Audit Policies
        • Remoting
          • Enumerate
          • Modify
          • Registry Locations
        • Stored Credentials
      • Remote Command Execution
      • Active Directory
        • Enumerate
        • Modify
      • History & Logs
        • History
        • Logs
      • PowerShell Config
      • Scripting
      • WMIC Notes
    • File Ops
      • Search
        • Filename
        • Time
        • Size
        • Permissions
        • Attributes
        • Wildcarding
      • Enumerate Metadata
        • One Liners
        • Users (Owners)
        • Timestamps
        • Size
        • Permissions
        • Attributes
      • Modify Metadata
        • Change Owner
        • Timestamps
        • Size
        • Attributes
      • Read Content
      • Modify Content
        • Overwrite
        • Insert
        • Append
        • Replace / Remove
        • Convert Case
        • Alternate Data Streams
      • Extract Content
      • Sort / Compare / Count
        • Sort
        • Count
        • Compare
      • Move
      • Copy
      • Execute
      • Hash
      • Encode/Decode
      • Compress/Decompress
      • Working With Weird Filenames
      • Output Formatting / Filtering
      • File Formatting
      • Operators
  • ⛓️Network
    • Traffic Manipulation
      • iptables
        • Option List
        • General Commands
        • Filter Tables
        • NAT
        • Mangle
        • Filter for SSH Traffic (Example)
      • nftables
    • Packet Capture
      • Syntax
      • TCPDump Examples
    • Packet Analysis
      • Wireshark
  • 🚗Maneuver
    • SSH
    • Control Sockets
    • RDP
    • Windows Port Proxy
  • 🛩️Data Transfer
    • SCP
    • FTP
    • Netcat
      • Netcat Relays
    • Server Interactions
    • Alternate Methods
  • 🪄REGEX
    • Examples
Powered by GitBook
On this page
  • Enumerate
  • Searching for AV
  • File System Exploration
  • AV Enum Script
  • Modify
  • Enable
  • Disable
  • Start
  • Stop

Was this helpful?

  1. Linux
  2. System Ops
  3. Security

Antivirus

Enumerate

Searching for AV

which [AV_command]

Checks if the antivirus executable is installed and accessible in the system's PATH.

ps -ef | grep [AV_process]

Looks for running antivirus processes in the system.

dpkg -l | grep [AV_package]

Checks if the antivirus package is installed on Debian-based systems.

rpm -qa | grep [AV_package]

Checks if the antivirus package is installed on RPM-based systems.

ps aux | grep antivirus

String search for "antivirus" in the process list.

pgrep -f antivirus

String search for "antivirus" in the process command arguments.

/etc/init.d

Look for scripts related to antivirus software.

systemctl list-unit-files --type=service

(Systemd) Check for service unit files related to antivirus software by name or vendor.

File System Exploration

Locate common antivirus directories:

Many antiviruses reside in specific directories like /usr/local/antivirus /opt/antivirus vendor-specific locations

Look for signature files:

Antiviruses often use signature files for malware detection. Search for common file extensions like .vdb, .dat, or vendor-specific formats in directories typically used for signatures (e.g., /var/lib/antivirus).

AV Enum Script

Searches for popular AVs. Customize accordingly.

This script has not been tested.

#!/bin/bash

# List of common antivirus commands or processes
antivirus_commands=("clamscan" "freshclam" "rkhunter" "chkrootkit" "clamav" "sophos" "avast" "avg" "bitdefender")

# Function to check if a command or process exists
check_existence() {
    if command -v "$1" &>/dev/null || ps -ef | grep -q "$1"; then
        echo "$1 is installed or running."
    else
        echo "$1 is not installed or running."
    fi
}

# Loop through the list of antivirus commands/processes
for antivirus_cmd in "${antivirus_commands[@]}"; do
    check_existence "$antivirus_cmd"
done

Modify

Enable

sudo systemctl enable <antivirus_service_name>

for systemd-based systems

sudo chkconfig <antivirus_service_name> on

for SysVinit-based systems

Disable

sudo systemctl disable <antivirus_service_name>

for systemd-based system

sudo chkconfig <antivirus_service_name> off

for SysVinit-based systems

Start

sudo systemctl start <antivirus_service_name>

for systemd-based systems

sudo service <antivirus_service_name> start

for SysVinit-based systems

Stop

sudo systemctl stop <antivirus_service_name>

for systemd-based systems

sudo service <antivirus_service_name> stop

for SysVinit-based systems

PreviousSecurityNextFirewall

Last updated 1 year ago

Was this helpful?

🐧