On Mon, 24 Feb 2003, mike wrote:
> > On Sat, 22 Feb 2003, mike wrote:
> >
> >> https://qa.mandrakesoft.com/show_bug.cgi?id=2165
> >>
> >> The system had a fully installed and configured Windows 2000 Pro
> >> environment with the DOS and NTFS partitions listed. Anti-virus
> >> software was installed and up to date. The system was running
> >> fine - no issues.
> >>
> >> I attempted to install ML 9.1 RC1. After having the graphic
> >> installers fail (even with expert mode) I attempted a text mode
> >> install. The text mode install was successful. As part of that
> >> install I used the text mode DiskDrake tool to build the swap and
> >> linux partitions and write the new boot sector to hda.
> >>
> >> When I rebooted the text lilo bootloader came up, and I selected
> >> linux; then BIOS ant-vires software immediately reported a boot
> >> sector virus.
> >
> > Did you resize the NTFS partition? It must update one entry, the
> > number of sectors of the new NTFS filesystem size, in the boot sector.
> > If the AV software doesn't prepared/coded to take into account NTFS
> > could be resized but just "blindly" does e.g. a checksumming on the boot
> > sector then it can report false alarm.
> >
> > What AV software do you use? What virus was reported? If NTFS resizing
> > is involved then I must say I've never had any such report however with
> > a broken boot sector checker the situation you described is
> > imaginable.
>
> None of the original partitions were changed or resized. The original
> partition layout was set up with a Linux dual-boot in mind. After quite a
> bit more testing I'm leaning towards this being a false alarm, but what
> concerns me is that the only way to clear it (ever) is to do a complete
> cold re-boot (power drain and all) from a floppy or CD using a utility to
> overwrite the MBR with something new.
>
[... censored protecting the possible quilty AV software ...]
>
> As part of further testing, I did a complete wipe and re-install of Win
> 2k. Then I used PowerQuest's Partition Magic 4.0 to move around the new
> Win 2K NTFS partition and create some new Linux partitions. I even had it
> change the bootable flag to a different partition. None of these actions
> triggered the anti-virus warning. But every time ML 91 RC-1 had the text
> DrackX / DrakDisk utility touch the MBR, an alert was triggered.
Ok, if the AV software can't recognise the Linux loader (LILO, etc)
then it can indeed consider it as a virus. There are many such posts
(try e.g. 'lilo virus' on google).
Szaka
