Wednesday, 2 April 2014

Adding the Kaspersky Rescue ISO to Easy2Boot (with persistent updates)

You can easily download and add the kav_rescue_10.iso or krd.iso file to your E2B drive easily. Just copy it to the \_ISO\MAINMENU folder.

Download here.

Note: When converting to .imgPTN file for UEFI+MBR booting (do not add rEFInf, say No to prompt:
'Timeout in 10 seconds       (default=N )... AUTO-CORRECT? (Y/N) : ' 
to not Auto-convert .cfg files).

See new Kaspersky Forum if any queries and Forum post here.

When you first run it, you will want to update the virus definitions. When you do so however, it will store the updates on an internal hard disk of the system that you booted the E2B USB drive from, instead of storing them on the E2B USB drive. This means that when you boot on a different system, you will have to download the updates all over again (if the system has an internet connection).

IMPORTANT: The key to the whole procedure is to ensure that Kaspersky linux mounts all the storage devices as volumes by selecting a drive to scan FIRSTThis will not be done if you do not select a drive to scan when prompted, or if you use the 'Skip' button when prompted if the volume is 'dirty'.
Allow it to mount the disks...
Once all the volumes have been mounted, you should see the icons on the Desktop - if not then it won't find the Updates on the USB drive and you will have to reboot!

Make sure you see desktop icons for the USB drive (e.g. sdb1).

MBR-booting from krd.iso with persistence

The instructions to get persistent updates to stay on the E2B USB drive are:

1. Download a recent ISO file from http://support.kaspersky.com/viruses/rescuedisk#downloads - it should be under 'Distributive' and called  kav_rescue_10.iso or krd.iso.

2. Copy it to a menu folder, e.g. \_ISO\MainMenu folder (or \_ISO\ANTIVIRUS or any other menu folder where you want it to be listed).

Create an empty folder called "\Kaspersky Rescue Disk 10.0" on the E2B USB drive now.
Note: For krd.iso 2018 versions, the folder name has changed to \KRD2018_Data. Use this exact name and capitalisation.

3. Boot from the ISO menu entry. Ensure that your USB drive (sdb1) volume has been mounted and appears as an icon on the Desktop as well as the C: drive icon (don't abort any dialogs!). If they are not there then reboot and try again.

On first boot to Kaspersky from E2B using this menu, download the updates (you will obviously need an internet connection). They will usually be automatically stored on internal Hard Disk C: by Kaspersky but if it finds the "\Kaspersky Rescue Disk 10.0" folder on the E2B drive, it may copy the updates there instead.

4. When the download of the updates have finished, if the USB \Kaspersky Rescue Disk 10.0 folder is empty, copy the whole "\Kaspersky Rescue Disk 10.0" folder which now contains the updates from C: or sda1 (the internal HDD) to sdx1 which is the USB drive partition 1 (if you only have one hard disk, the USB drive will be sdb1).

Now rename the "C:\Kaspersky Rescue Disk 10.0" folder on the hard disk to something else like 'Junk' to get rid of it.

IMPORTANT: Ensure the update folder \Kaspersky Rescue Disk 10.0 does NOT exist on the Target hard disk in any volume. It must only exist on the E2B USB drive, otherwise it may update the wrong folder.

5. On the next boot, the updates should be found to be already present on USB drive (check you can see the drive icon on the Desktop).

Checks

If you find that the Updates are old or not present...

1. Ensure you can see the sdx1 icon on the Desktop to show it has been mounted as a volume by Kaspersky.

2. Ensure any target system you test does not already have the \Kaspersky Rescue Disk 10.0 folder anywhere on any HDD in the system - if so delete it and reboot from USB.

Always shutdown Kaspersky linux nicely or updates may not be saved!

E2B USB Drive contents when it is all running smoothly are:

\_ISO\MAINMENU\kav_rescue_10.iso
\Kaspersky Rescue Disk 10.0 (or \KRD2018_Data


Kaspersky 2018 with UEFI (using a two-partition E2B drive)

Converting the ISO to a FAT32 .imgPTN file is easy, however the \KRD2018_Data folder is not found by Kaspersky Rescue if it is in the boot partition, so we cannot simply create this folder inside the new .imgPTN partition (but see section below if you want to do this).

Create or use the second partition of the E2B drive which should have at least 1GB of free space available or else it will not be used (exact size TBD - it works if 4.1 GB free on a 7GB volume).

Then simply create an empty \KRD2018_Data folder on the 2nd partition of the E2B drive and use a .imgPTN23 file extension.

IMPORTANT: For UEFI booting say 'N=No' when prompted by MakePartImage to AUTOCORRECT the .cfg files because the EFI boot files are signed.

Use Switch_E2B.exe to switch to the krd2018.imgptn23 file.

Edit the \menu.lst file (the large on inside the large .imgPTN file) to add these lines to the bottom of the file:

#use lang=ru for russian

title KAV 32-bit\nBoot to Kaspersky Rescue
kernel /boot/grub/k-x86 net.ifnames=0 lang=en dostartx backstore=alldev
initrd /boot/grub/initrd.xz
boot

title KAV 64-bit\nBoot to Kaspersky Rescue
kernel /boot/grub/k-x86_64 net.ifnames=0 lang=en dostartx backstore=alldev
initrd /boot/grub/initrd.xz
boot

The two partitions on the E2B drive should now be:
Partition 1: Contains a \boot folder and \System folder + other E2B files + \menu.lst (modified)
Partition 2: Contains empty \KRD2018_Data folder

Now you can UEFI or MBR boot (using the new menu entries) and ensure you have an internet connection so that it can download the latest updates. Check that there are now files in the \KRD2018_Data\Bases folder...

If updates do not appear to be persistent, delete any folder on any drive named \KRD2018_Data  except for the folder on the second partition of the E2B USB drive.

You can use the terminal command:
find / -name 'KRD2018_Data'
to find where the data files are located after updating/downloading the updates.

UEFI boot files

Recent Kaspersky 18 UEFI boot files and menus in the ISO are signed and checked (they have .sig files). If you modify the .cfg menu files then it will not UEFI boot. For this reason choose N = for do not AutoCorrect when prompted by MakePartImage when you make the .imgPTN file.


E2B Fixed-disk USB drives only...

If your USB drive is a hard drive/fixed disk type, you will need to modify the kav-menu.cfg file for persistence, so to work around the signed file issue, find a Ubuntu 64-bit ISO and copy the files from the \EFI\BOOT folder to the same folder on the E2B drive thus overwriting \EFI\BOOT\bootx64.efi on the FAT32 partition. Just Ubuntu's bootx64.efi and grubx64.efi are required for UEFI64 booting.

You will need to modify \boot\grub\x86_64-efi\cfg\kav-menu.cfg to add the backstore=alldev cheat code for persistence to work if you are booting from a USB hard disk

kav-menu.cfg


menuentry "${kav}" {
linux /boot/grub/k-x86_64 net.ifnames=0 lang=${lang} dostartx backstore=alldev
initrd /boot/grub/initrd.xz
}

menuentry "${kav_nomodeset}" {
linux /boot/grub/k-x86_64 net.ifnames=0 nomodeset xforcevesa lang=${lang} dostartx backstore=alldev
initrd /boot/grub/initrd.xz
}

#menuentry "${kav_rescue_text}" {
# linux /boot/grub/k-x86_64 net.ifnames=0 lang=${lang} nox nomodeset
# initrd /boot/grub/initrd.xz
#}

menuentry "${hardware_info}" {
linux /boot/grub/k-x86_64 net.ifnames=0 lang=${lang} docache loadsrm=000-core.srm,003-kl.srm nox hwinfo docheck
initrd /boot/grub/initrd.xz
}

source /boot/grub/${grub_cpu}-${grub_platform}/cfg/boot_from_hard.cfg

Kaspersky 2018 UEFI & MBR  + persistence

As found by Ahmed (see comments), if your E2B USB drive is of the Removable type, you can create a persistent backup store using the Kaspersky linux script in the Start Menu, but this does not work when booting from Fixed-disk USB drives (e.g. Corsair GTX, SilverStone M.2 or when using a VM under VirtualBox\QEMU where the USB drive appears as a Fixed-disk).

For persistence to work, you must use a Removable-type USB flash drive unless you modify the .cfg menus...

Note: Only recent versions of KRD2018 include the 'Create persistent volume' menu feature.

1. Drag-and-drop the latest version of KRD2018 onto the MPI_FAT32 Desktop shortcut to create a large .imgPTN file. I chose a size of 2200MB and a name of KRD2018_2019_08.imgPTNAUTO. You must allow enough free space for the updates (I found that 2000MB was not quite enough by about 16MB!). Do NOT AUTO-CORRECT the configuration files when prompted by Make PartImage as this makes them unsigned.

2. Copy the krd.imgPTN file to your E2B \_ISO\ANTIVIRUS folder, make it contiguous and use SWITCH_E2B.exe to switch in the new partition.
Using a Fixed-disk E2B USB drive? Do not use the CSM '1 Boot from this drive (MBR mode)' boot menu entry if you need persistence because it will not use the backstore=alldev cheat code and you will not get persistence if using a fixed-disk USB drive. 
Add the two menu entries shown above to the E2B CSM \menu.lst file.

3. Now MBR-boot on a real system to the E2B Removable drive (do not use a VM unless you have the backstore=alldev cheat code in the menu).

4. Accept the licence agreements and perform an update if prompted.

5. Quit the AV scan.

6. Run - System - Create persistent volume from the Start Menu and create a krd.bs file of the suggested size - just follow the prompts (do not create a Backup as this will use up all the free space!).



There seems to be a problem with the suggested min and max sizes, so choose a size somewhere between the two  limits suggested by the script.

7. You should be prompted to reboot - so do so.

8. You may see this message if the updates are not stored on a disk :-( ...


Now use the Terminal, you should see that the mount command shows /livemnt/boot is on your E2B USB drive...


and the backstore folder should be apparent...

UEFI-boot error when using Virtual Box?

Note: if testing using a Virtual Machine you may need to remove or rename the \System folder because some VMs UEFI-boot from this MAC UEFI boot folder instead of from the \EFI\boot folder.


This message can also indicate that you need to update the \EFI\boot folder with the Ubuntu EFI boot files as described above because one or more the .cfg files are not original (e.g. they have been edited or altered) and their signatures will no longer match.

Kaspersky signed files

If you are interested in why Kaspersky has added signed file checking (.sig files) for .cfg files, even for UEFI unsecure booting, see here.

12 comments:

  1. Hello
    I Play around KRD.iso an I descover that the updates are permanent on E2B Usb if I created \KRD2018_Data folder I just Boot the krd.iso . No need .mnu nor imgPTN nor kaspersky-rw file

    ReplyDelete
  2. yes, that is what this blog says - did you not read it!

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. KRD2018_Data is created on sda4 although exists on sdb3? What am I doing wrong?

    ReplyDelete
  5. @Steve_Si i foolowed the above tutorial for krd 2018 uefi booting with single partition on usb but every time i boot the rescue it creates krd2018_data folder on my hdd and refuse to load the one on the usb . itried boot imgptn and imgptn23 extensions but still no luck

    ReplyDelete
  6. Are you following the last part of the blog?
    The one that tells you how to prepare for UEFI and how to make TWO PARTITION IMAGE FILES krd2018.imgptn + krd2018 ?

    What is your 'usb' exactly? A Removable type of Fixed-disk type?

    Di you try both MBR and UEFI bootng?

    You can't just say 'I tried it and it didnt work' since I have no idea EXACTLY what you tried.

    It clearly did work for me, so you need to accurately describe what you did - how do I know you followed the instructions correctly?

    Did you make sure the same krd2018_data folder is not on any other volume?

    What exact ISO are you using?

    Steve

    ReplyDelete
  7. P.S. Folder name should be KRD2018_Data not krd2018_data or KRD2018_data.

    ReplyDelete
  8. I have been retesting and they seem to have modified the scripts. I tried a 300MB partition for the KRD2018_Data folder and also a 1.3GB partition but that didn't work. I then tried just using a krd2018.imgPTN23 file and a KRD2018_Data empty folder in the second partition on the E2B drive. The 2nd partition was 7.5GB with 4.1GB of free space. This time it worked and the Bases folder and others were placed on the E2B 2nd partition.
    I found support page at https://support.kaspersky.com/14231 which suggests the script is testing for a certain amount of free space on each volume.

    ReplyDelete
  9. @steve,si
    i found another way to make krd presistant.
    1- create krd2018.imgptn with 2GB size
    2- create presistence file called krd.bs using the tool provided in the rescue cd with size 1.3 GB
    3- reboot and viola! it works and the updates are presistant
    the file is mounted in /livemnt/memory/krd

    ReplyDelete
  10. OK - I finally got this working!!! It does not work if you use a Fixed-Disk type of E2B USB drive. It only works if the USB drive is of the Removable type. For this reason it also does not work using VirtualBox and booting from the USB as a virtual hard drive. If you boot from a real system and use a Removable USB drive and there is enough free space, then it works.

    ReplyDelete
  11. I have added a fix for fixed-disk E2B USB drives now and also how to UEFI boot.

    ReplyDelete