Virus/malware scanning, removal & BitCurator

[Julianna Barrera-Gomez]

Hi there,

I have a question about malware/virus detection and removal procedures for anyone who's doing this in or around their BitCurator work.  I've seen some older posts here where people mention using ClamAV.  

Some background: I've been using BitCurator occasionally, I have a VM installation of 4.2 on a Windows 11 lab PC, I've set up a shared folder so that I can experiment with BitCurator tools, but mostly I'm imaging or copying files in Windows (FTK Imager or TeraCopy).  Lately, I've been using Brunnhilde in BitCurator to create reports of accessions, because this tool is amazingly helpful and bundles together many other tools, including ClamAV for detecting malware. It also generates a helpful log file of viruses found.  So now I'm considering my whole process and options, with an eye toward immediately running Brunnhilde after copying, thinking that virus scan and log info can just be easily bundled up right there.

More background/why: I am specifically asked to export file copies for archivists to review and appraise, so I need to ensure these are clean.  So far I've encountered a few trojans, in easy to remove/previously-archivist-deemed unimportant locations like /Downloads--after discussing with the archivists I'm working for I just delete the files manually and note this in a templated text file I share with them.  And while I could use our Windows enterprise endpoint security software (Crowdstrike) I guess I just _feel better_ doing this in BitCurator, since Brunnhilde is there and works fully (and its Windows install doesn't support virus scanning). If I've found something in Brunnhilde and deleted it, I do double check with Crowdstrike in Windows before sharing it.

My questions:  

I'm wondering if anyone here would like to share tips or sources they know about for identifying malware, with some info on what you actually do when you encounter malware?

If others are using ClamAV, which commands are you using to act, or do you use ClamScan for this? 

Is this way easier in the most current release of BitCurator (mine still has ClamTK)?  

Or, do you have other, easier tools or processes you've tried and would recommend?

I figured it's good to ask and gain from y'all's shared wisdom, since it's just me and I'd rather not invent when I can reuse.  Let me know if I can explain better, please help correct any apparently incorrect assumptions, and of course feel free to give other suggestions. :)

Thank you!

Julianna

Digital Accessions Specialist

Digital Preservation Services

Harvard University

(she/her/hers)