2nd layer protection for USB drives: MCShield

[DavidR]

Not so much an interesting effect, just normal as when new files are created they will be scanned by the file system shield, if they are detected then they will be actioned as per your settings.

Whilst the files are in the USB they are inert, when run they would be scanned or in this case moved/copied to the hard disk it is a newly created file which would get scanned (depending on file type).

[George Yves]

Not so much an interesting effect,

I find it interesting because it was totally unexpected. It means that MCShield's quarantine folder occurs not to be safe for keeping removed malware.

[DavidR]

Safe is a different interpretation, since any quarantine isn't the location that the file would be if it were sent from the USB to the hard drive any command to run it wouldn't know where it was (e.g. the quarantine location), so the risk is limited.

Yes it would be preferable if it encrypted the data and protected the folder, but that would require that the program be more active than just when you plug a USB in.

It isn't that strange when there are many security programs that done even encrypt their virus signatures just waiting for avast to detect them

[Lisandro]

It means that MCShield's quarantine folder occurs not to be safe for keeping removed malware.

What do you mean? Can the malware be automatically executed when moved into the quarantine?

[magna86]

@iroc9555
Yes, thats officijal. 
http://amf.mycity.rs/mcshield
(you may read about us)

Or...
Softpedija - Mirror download link

PS: McShield.exe is McAfee related. 

@George Yves

I'll try to install it again at my home notebook with Vista SP2, Avast Free and SpywareTerminator 2012. I'll do it just to send you the logs.

Thank you very much for that. 

@All
> Files in Quarantine are completely harmless and they are not executable.

If you have any questions or concerns, be free to ask:

Code: [Select]

mcshield.support[at]gmail.com
................

There are many articles by others that have been written about MCShield. Some are on our language as well as English.
I currently have this link in hand:
http://www.insightsintechnology.com/2012/03/mcshield-2-shields-pc-from-usb.html

Just for records 

MCShield where tested on huge number of malware and worms ( even the latest one ).
Not only on our labolatory or on some virtual machines, we do in practice (schools, copy photo shops and similar institutions where the high frequency of use USB Memory drives.
We test and compare MCShield with Panda and USB Security and MCS hase convincingly beat known competition.
And its freewere.



PS: Question for all of you guys if you dont mind. 

Could it be someone in a mood to translate MCShield into another language?
Currently, MCShield has been translated into three languages:
English; Serbian; Polski.

Translation is easy, and if maybe someone are in the mood just let me know to PP.
Anyone who is willing to do so, will be hung a nickname ( or full name ) in the MCShield > Abaut > Credits ( of course if you want to )




Thanks for review 

[Lisandro]

PS: McShield.exe is McAfee related. 

http://amf.mycity.rs/mcshield/about.html
Where are you seeing evidence for this affirmation?

[magna86]

http://amf.mycity.rs/mcshield/about.html
Where are you seeing evidence for this affirmation?

Or you did not understand me or I was not clear enough.

McShield.exe ( \%Program Files%\McAfee ) is McAfee related.
MCShieldRTM.exe [MC- aka MyCity] ( \%Program Files%\MCShield) is MCShield Anti Malware tool related.

[George Yves]

It means that MCShield's quarantine folder occurs not to be safe for keeping removed malware.

What do you mean? Can the malware be automatically executed when moved into the quarantine?

When an anti-malware program moves something into its quarantine folder, I expect that no other anti-malware program will find them dangerous. But as I have said above, Avast detected files in MCShield's quarantine as threats and moved them into its own chest. So, if Avast found already quarantined items as threats, I supposed that MCShield's quarantine folder is not safe.

[George Yves]

Hm...I'll will contact developers.

Start -> All Programs -> MCShield -> Logs

Please attach here:
AllScans.txt
Summary.txt

Well, I didn't find the logs in the program's folder. Maybe it's because I have Vista SP2, not XP. I found them in C:\ProgramData\MCShield. The files were empty: there were only their names inside them - >>> MCShield AllScans.txt <<< and >>> MCShield Summary.txt <<<.

If you need, I have dumps from the latest crashes. For every crash Windows created a set of files: AppCompat.txt, Version.txt, memory.hdmp and minidump.mdmp.

[bob3160]

I just created a bootable USB drive and forgot to take it out of the computer.
When I rebooted, MCShield changed some of the files to make booting impossible......
(not a good moove.  )

[schmidthouse]

I just created a bootable USB drive and forgot to take it out of the computer.
When I rebooted, MCShield changed some of the files to make booting impossible......
(not a good moove.  )

Interesting, I've never done that, but didn;t think of that either

[Lisandro]

MCShield changed some of the files

Do you have details? I'll drop my recommendation if it is changing files... It shouldn't. It should be only a heuristic scanner.

[dr_Bora]

Hello, I'm one of the authors of the program you are discussing.
I saw some interesting questions and thought I'd reply. I hope this will not be considered spam/advertising by the moderating team (if that's the case, nuke the post and accept my apology).


@bob3160: normally, a flash drive is a storage media and if used that way, false detections should not occur, but there's a number of legit programs (example: Lupo Pen Suite and similar, bootable drives, memory cards used in some devices) that use either different autorun methods or exhibit certain behavior that can often be seen on infected drives.
To prevent these FPs, MCS has a whitelist containing hashes of a number of known legitimate files that need to be protected from detection. Unfortunately, I'm the only one that maintains this database and I definitely have no way of knowing about every possible program that would need to be protected from detections.
Obviously, false positives must happen from time to time and they are fixed when users report them to me.
So, if you show me the logfile of that scan, the files are going to be whitelisted and the detections will not reoccur (I need the log because it contains the MD5s of the files).

@Tech: the program renames or moves to quarantine, it never changes the contents of the files. So, you can't really loose a file (or it's contents) that was detected, it's always there, either in the original location (renamed) or in the quarantine folder.


As far as the name goes, beginning from version 2 the program's official name is: "MCShield ::Anti-Malware Tool::" (it was only MCShield before). The name was changed so that a certain AV vendor wouldn't get mad at us. 
Of course, my intention was never to confuse people and make them believe that MCS has something with McAfee and MC stands for MyCity (my home forum).


The quarantine and occasional detections that AVs make in there... Yes, I agree that this is not perfect and the other programmer and I discussed the encryption many times, but we never got to making it. You know, real life, jobs and stuff like that. Hopefully, we'll get to it one day.

Is the quarantine safe? Well, malware in that folder can't start by itself. So, unless you go there and start clicking on files you know to be malicious, you won't have any problems.

[schmidthouse]

@ dr_Bora
THank you for further information as I have recently installed and am using MCShield, simply as I've stated to monitor exchanging USB devices.
Appreciate your time.

[Lisandro]

Thanks for coming Bora and thanks for the information.
Keep your good work.