I am wondering how to detect a virus or malware or anything that exists on an HDD (I am thinking of external hard drives). Doing a quick search led to these which aren't quite related:
- Virus checking and cleaning an external hdd
- Knowing if a malware infected something else than the hdd or ssd
- Cleaning a virus by mounting the infected hard disk on another machine?
- Can a computer virus be stored somewhere else than on the hard drive?
This is closer to what I'm talking about:
- https://www.cnet.com/forums/discussions/can-any-virus-survive-reformatting-the-hard-drive-49909/
- https://www.quora.com/Will-totally-wiping-a-computer-get-rid-of-viruses-malware-and-such
Quora states:
It depends on the malware. Reformatting will remove most malware, but there are exceptions. Just make sure to blow away the recovery partition and install from known good media.... Some malware can modify the BIOS or other parts of the computer that will survive a reformat of the hard drive. This type of malware is rare because it is specific to hardware.
For this question I am not interested in non-HDD viruses, only on HDD ones (for external hard drives, just to keep the question not too broad). I don't quite understand how hard drives work other than that they use magnetic material to store the data.
In programming (I am just a programmer, not really much security stuff), I just think "I store files on the hard drive". Some of those files can be "executable files". But if you don't execute those files you won't get a virus (ignoring other ways to get viruses outside of HDDs here). If you do run the file, and it "has a virus", I don't see how just turning your computer off and on again won't just stop the program from running. I know there are startup daemons, so maybe it would be a startup daemon, but if you just looked at ps ax
I would assume you would see the process listed. But this just goes to show I don't know much about how viruses work. Not directly related to the question, just wanted to add some context to the main question.
So the main question is, how to check there is a virus on the HDD. More generally, how to check that there might be any software or malware installed on the HDD. Wondering what needs to be done at a tool/software-independent level (i.e. at a theoretical level). Knowing of some standard tools would be helpful in some sense too, might make it easier to understand by example.
My knowledge basically is limited to "just type ps ax
and check the processes". But maybe the virus either isn't listed there, or it changes its name. Also, this is just 1 unix command, I don't know if there is anything else to do. Maybe you can manually scan the drive's contents and look for some feature of some sort. Or I don't know, that's what I'm wondering.
By "from scratch" in the title, I mean without relying on some tool like "just run antivirus software X". What if you wanted to just write some C code or some Assembly, wondering at that level (not specific implementations necessarily) what you would be writing code for in order to solve the problem.