2nd layer protection for USB drives: MCShield

[magna86]

Guys, just wish to point out a couple things. 

There are bunch of USB Antivirus softwares. Some of them are good but...
Among few things, the main difference between those USB antivirus software and MCShield is:

- USB antivirus programs mainly work at the level of definition.
That means if your USB stick is infected by some malware, it will be blocked and removed by some USB AV only if it has his signature.

- MCS mainly works with his heuristics.
That means if your USB is infected by some malware, MCS will block and remove malware if using any known attack vector.

There is one more thing to know. There is no perfect softwere.   

[SpeedyPC]

There is one more thing to know. There is no perfect softwere.   

100% correct and the real question is do I really need MCShield when Avast & Outpost Pro FW both doing their job when I inserted the USB to my PC

[argus]

If you have 20 folders on a USB drive any of them is worm, MCS will be disinfected each folder separately, Here's examples of the log.
This is a beta version of V.1. 

10.4.2010 21:41:58 > Checking F: ( ~2 GB, FAT flash drive )...

>>> F:\autorun.inf > Renamed.


---> Traces of file replicators have been found!

---> Running generic s&d routine...


---> Note: Win32.Brontok has been identified!

>>> F:\pozuda\malena.exe - Worm > Deleted. (10.04.10. 21.50 malena.exe.310803)

>>> F:\7-Zip Portable.exe - Worm > Deleted. (10.04.10. 21.50 7-Zip Portable.exe.775413)

>>> F:\AbiWord Portable.exe - Worm > Deleted. (10.04.10. 21.50 AbiWord Portable.exe.164937)

>>> F:\autorun.exe - Worm > Deleted. (10.04.10. 21.50 autorun.exe.370266)

>>> F:\AM-DeadLink.exe - Worm > Deleted. (10.04.10. 21.50 AM-DeadLink.exe.512535)

>>> F:\ArcThemALL!.exe - Worm > Deleted. (10.04.10. 21.50 ArcThemALL!.exe.882467)

>>> F:\Audacity.exe - Worm > Deleted. (10.04.10. 21.50 Audacity.exe.211817)

>>> F:\DCU.exe - Worm > Deleted. (10.04.10. 21.50 DCU.exe.223767)

>>> F:\Defraggler.exe - Worm > Deleted. (10.04.10. 21.50 Defraggler.exe.220542)

>>> F:\Directory Lister.exe - Worm > Deleted. (10.04.10. 21.50 Directory Lister.exe.26955)

>>> F:\Double Driver.exe - Worm > Deleted. (10.04.10. 21.50 Double Driver.exe.843601)

>>> F:\DSynchronize.exe - Worm > Deleted. (10.04.10. 21.50 DSynchronize.exe.402451)

>>> F:\DTaskManager.exe - Worm > Deleted. (10.04.10. 21.50 DTaskManager.exe.988153)

>>> F:\DVD Shrink.exe - Worm > Deleted. (10.04.10. 21.50 DVD Shrink.exe.231047)

>>> F:\eMule.exe - Worm > Deleted. (10.04.10. 21.50 eMule.exe.971208-)

>>> F:\EssentialPIM Portable.exe - Worm > Deleted. (10.04.10. 21.50 EssentialPIM Portable.exe.308648-)

>>> F:\Extra.exe - Worm > Deleted. (10.04.10. 21.50 Extra.exe.765168-)

>>> F:\Fast Explorer.exe - Worm > Deleted. (10.04.10. 21.50 Fast Explorer.exe.365914)

>>> F:\Data ADMINISTRATOR.exe - Worm > Deleted. (10.04.10. 21.50 Data ADMINISTRATOR.exe.157152)

>>> F:\7-Zip Portable\7-Zip Portable.exe - Worm > Deleted. (10.04.10. 21.50 7-Zip Portable.exe.49016)

>>> F:\7-Zip Portable\App\App.exe - Worm > Deleted. (10.04.10. 21.51 App.exe.685574)

>>> F:\7-Zip Portable\App\7-Zip\7-Zip.exe - Worm > Deleted. (10.04.10. 21.51 7-Zip.exe.939444)

>>> F:\7-Zip Portable\App\7-Zip\Lang\Lang.exe - Worm > Deleted. (10.04.10. 21.52 Lang.exe.984123)

>>> F:\7-Zip Portable\App\DefaultData\settings\settings.exe - Worm > Deleted. (10.04.10. 21.52 settings.exe.299917)

>>> F:\7-Zip Portable\Docs\Docs.exe - Worm > Deleted. (10.04.10. 21.52 Docs.exe.606395)

>>> F:\7-Zip Portable\Docs\Other\Help\images\images.exe - Worm > Deleted. (10.04.10. 21.52 images.exe.121514)

>>> F:\7-Zip Portable\Docs\Other\Source\Source.exe - Worm > Deleted. (10.04.10. 21.52 Source.exe.434815)

>>> F:\AbiWord Portable\AbiWord Portable.exe - Worm > Deleted. (10.04.10. 21.52 AbiWord Portable.exe.9760)

>>> F:\AbiWord Portable\App\App.exe - Worm > Deleted. (10.04.10. 21.52 App.exe.951171)

>>> F:\AbiWord Portable\App\DefaultData\settings\settings.exe - Worm > Deleted. (10.04.10. 21.52 settings.exe.579467)

>>> F:\AbiWord Portable\Docs\Docs.exe - Worm > Deleted. (10.04.10. 21.53 Docs.exe.941481)

>>> F:\AbiWord Portable\Docs\Other\Help\images\images.exe - Worm > Deleted. (10.04.10. 21.53 images.exe.303804)

>>> F:\AbiWord Portable\Docs\Other\Source\Source.exe - Worm > Deleted. (10.04.10. 21.53 Source.exe.506247)

>>> F:\AM-DeadLink\AM-DeadLink.exe - Worm > Deleted. (10.04.10. 21.53 AM-DeadLink.exe.400385)

>>> F:\AM-DeadLink\lang\lang.exe - Worm > Deleted. (10.04.10. 21.53 lang.exe.842605)

>>> F:\Extra\Eigenmath\Eigenmath.exe - Worm > Deleted. (10.04.10. 21.53 Eigenmath.exe.380858-)

>>> F:\Extra\eToolz\eToolz.exe - Worm > Deleted. (10.04.10. 21.53 eToolz.exe.936342)

>>> F:\Extra\eXpresso\eXpresso.exe - Worm > Deleted. (10.04.10. 21.53 eXpresso.exe.139397)

>>> F:\Extra\FileTypesMan\FileTypesMan.exe - Worm > Deleted. (10.04.10. 21.53 FileTypesMan.exe.413121)

>>> F:\Extra\HD Tune\HD Tune.exe - Worm > Deleted. (10.04.10. 21.53 HD Tune.exe.755064)

>>> F:\Extra\HotKeyz\HotKeyz.exe - Worm > Deleted. (10.04.10. 21.53 HotKeyz.exe.259995)

>>> F:\Extra\HxD\HxD.exe - Worm > Deleted. (10.04.10. 21.53 HxD.exe.853525)

>>> F:\Extra\KiTTY\KiTTY.exe - Worm > Deleted. (10.04.10. 21.53 KiTTY.exe.286650)

>>> F:\Extra\md5hash\md5hash.exe - Worm > Deleted. (10.04.10. 21.53 md5hash.exe.545199)

>>> F:\Extra\MyUninstaller\MyUninstaller.exe - Worm > Deleted. (10.04.10. 21.53 MyUninstaller.exe.38059)

>>> F:\Extra\NetSetMan\NetSetMan.exe - Worm > Deleted. (10.04.10. 21.53 NetSetMan.exe.146698-)

>>> F:\Extra\NetWorx\NetWorx.exe - Worm > Deleted. (10.04.10. 21.53 NetWorx.exe.706599)

>>> F:\Extra\RegASSASSIN\RegASSASSIN.exe - Worm > Deleted. (10.04.10. 21.53 RegASSASSIN.exe.593608-)

>>> F:\Extra\RegFromApp\RegFromApp.exe - Worm > Deleted. (10.04.10. 21.53 RegFromApp.exe.991573)

>>> F:\Extra\Registry Tweaker\Registry Tweaker.exe - Worm > Deleted. (10.04.10. 21.53 Registry Tweaker.exe.739955)

>>> F:\Extra\RegScanner\RegScanner.exe - Worm > Deleted. (10.04.10. 21.53 RegScanner.exe.508190)

>>> F:\Extra\Regshot\Regshot.exe - Worm > Deleted. (10.04.10. 21.53 Regshot.exe.149955)

>>> F:\Extra\ShellExView\ShellExView.exe - Worm > Deleted. (10.04.10. 21.53 ShellExView.exe.61148-)

>>> F:\Extra\ShellMenuView\ShellMenuView.exe - Worm > Deleted. (10.04.10. 21.53 ShellMenuView.exe.698541)

>>> F:\Extra\SQLiteSpy\SQLiteSpy.exe - Worm > Deleted. (10.04.10. 21.53 SQLiteSpy.exe.494020)

>>> F:\Extra\Unlocker Portable\App\Unlocker\Unlocker.exe - Worm > Deleted. (10.04.10. 21.53 Unlocker.exe.963310)

>>> F:\Extra\USBDeview\USBDeview.exe - Worm > Deleted. (10.04.10. 21.53 USBDeview.exe.588064)

>>> F:\Extra\VirtuaWin\VirtuaWin.exe - Worm > Deleted. (10.04.10. 21.53 VirtuaWin.exe.816264)

>>> F:\Extra\Volumouse\Volumouse.exe - Worm > Deleted. (10.04.10. 21.53 Volumouse.exe.824672)

>>> F:\Extra\WinIPS\WinIPS.exe - Worm > Deleted. (10.04.10. 21.53 WinIPS.exe.667293)

..........

> F:\pozuda
>>> F:\pozuda - Worm.Traces > Deleted. (10.04.10. 21.57 pozuda.449012)

>>> F:\pozuda.exe - Worm.Sus > Renamed.

> Restoring defaults: F:\7-Zip Portable

> Restoring defaults: F:\AbiWord Portable

> Restoring defaults: F:\AM-DeadLink

> Restoring defaults: F:\ArcThemALL!

> Restoring defaults: F:\Audacity

> Restoring defaults: F:\DCU

> Restoring defaults: F:\Defraggler

> Restoring defaults: F:\Directory Lister

> Restoring defaults: F:\Double Driver

> Restoring defaults: F:\DSynchronize

> Restoring defaults: F:\DTaskManager

> Restoring defaults: F:\DVD Shrink

> Restoring defaults: F:\eMule

> Restoring defaults: F:\EssentialPIM Portable

> Restoring defaults: F:\Extra

> Restoring defaults: F:\Fast Explorer


The message exceeds the maximum allowed length (10000 characters).

Not all the care in the post 

[polonus]

I had a problem to-day with McShield 2, start-up on Vista failed and a repair to" last good start up" removed just McShield 2. The I also checked SpywareBlaster and saw I had to restore protection in SpywareBlaster for some IE protection items. Why this happened? Two Skype plug-in that I uninstalled were back installed in IE after that repair routine. I disabled them again, restored full protection and re-installed McShield 2. I think Skype is behaving rather aggressive. I will see what will happen next,

polonus

[adotd]

I have MCShield on my computer

it renamed a file called explorer.exe on my memory stick to explorer.exe.vir

it said it was suspisous however it was a problem that i renamed to explorer.exe 

[polonus]

Hi adotd,

As with all solutions that have to prove themselves, we will keep a scrutinous eye on this one. Might be it gives this second layer of additional protection others do not have, and that is a valuable asset. You know however going on full heuristics does also mean you are meant to meet the next false positive. So there always should be a mix of detection methods involved. Also what I miss is user interaction when some issue has been detected. At least a hash look-up or an indication of the malware type and subtype, so the user might explore what it is all about what is being flagged. There is a might of difference between finding up some packer heuristics for riskware and a highly dangerous file infector of some sort. But as the protection range of this av might be limited to the typical malware for your peripherals like usb sticks, that go under the normal av detection radar, this will make the evaluation of what is being found even more difficult,

polonus

[bob3160]

Unfortunately for me it turned my bootable USB into an unbootable USB.
I've removed it some time ago. I needed protection from the bad guys.
I didn't expect the good guys to attack my bootable USB. 

[polonus]

Hi bob3160,

You can restore it on that USB using bootsect command, re: http://technet.microsoft.com/en-us/library/cc749177(v=ws.10).aspx
see: http://www.maximumpc.com/article/howtos/how_to_install_windows_7_beta_a_usb_key

polonus

[Pondus]

Unfortunately for me it turned my bootable USB into an unbootable USB.
I've removed it some time ago. I needed protection from the bad guys.
I didn't expect the good guys to attack my bootable USB. 

as we do with avast .....also send the info to MCShield support so they can fix the issue

[bob3160]

Unfortunately for me it turned my bootable USB into an unbootable USB.
I've removed it some time ago. I needed protection from the bad guys.
I didn't expect the good guys to attack my bootable USB. 

as we do with avast .....also send the info to MCShield support so they can fix the issue

I did that in the beginning of this topic.

[George Yves]

As you know, MCShield refused to work on my Vista notebook because of constant program's crashes. Lately I tried MX One Antivirus but I had to remove it either. The real-time shield is working OK but again I get pop-ups: now they say the program's antivirus engine was stopped.

I think this separate "2nd layer protection for USB drives" isn't a protection at all. There must be only one antivirus and it is Avast for me. And I believe that we need only one thing - to realize that suggestion by Andrey,pro.

[bob3160]

+1

[polonus]

Hi George Yves,

So I turned the program off and closed in exit. So try it only when I use peripherals, just to be sure there are no conflicts with my resident av solution, that is avast. The more like conflicts between programs are not much discussed about, but they exist. Strange changes to SpywareBlaster after users installed MBAM,
the sudden reapearance of the Skype toolbar after it had been disabled in IE. I agree with you a boot repair is too big an incident from a solution that is no longer beta, it should not happen,

polonus

[argus]

Today the scanned USB sticks.

[dr_Bora]

Hi adotd,

As with all solutions that have to prove themselves, we will keep a scrutinous eye on this one. Might be it gives this second layer of additional protection others do not have, and that is a valuable asset. You know however going on full heuristics does also mean you are meant to meet the next false positive. So there always should be a mix of detection methods involved. Also what I miss is user interaction when some issue has been detected. At least a hash look-up or an indication of the malware type and subtype, so the user might explore what it is all about what is being flagged. There is a might of difference between finding up some packer heuristics for riskware and a highly dangerous file infector of some sort. But as the protection range of this av might be limited to the typical malware for your peripherals like usb sticks, that go under the normal av detection radar, this will make the evaluation of what is being found even more difficult,

polonus

Important thing to note is that MCShield's heuristics are not what you're used to see in an average antivirus. When I say heuristics, I do not talk about detections based on compilers, exe compressors, partial signatures, etc. like in the case of an AV, but I'm talking about recognizing "static behavior" (basically, what the files and the folders on a flash drive "look like"). So, the program tries to recognize malware by analyzing the file system; files and folders - their characteristics and relations to other files and folders on the drive. These analyses are based on algorithms designed to be "triggered" by a "behavior" (what they do on a flash drive in the process of infection) of different worm families using various methods to initiate the infection (autorun functionality, exploits or simply tricks to make the user to run malware).

When it comes to FPs, most are made in the part of the code that analyses autorun files and these are almost always "rename FPs" (meaning: the file is not known as a good one, so, to be on the safe side, it's renamed).
Why is this routine making more FPs than all other (and there are 13 more)? Simply because it goes by the rule: autorun.inf and the related files are bad unless proven to be legit.
Is this the right approach? Well, there are millions of worms using autorun and there's, let's say, a few hundred legit programs that do the same.
This seems like a simple choice to me. I might be wrong, but I'll rather take the blame for renaming a legit file than let a peace of malware slip through.
All other detection routines shouldn't really be triggered by users files/folders. This can happen (people do "stuff"  , but it's not that common.

polonus mentioned that it's not easy to test this kind of software; I agree.
I'm quite certain there are parts of the code in the scanner that have never been triggered on users' computers in these 2.5 years.
Basically, what you guys have seen so far is just one small part of MCShield's possibilities. AntiAutorun, AntiLNK, three AntiReplicator routines, AntiRimecud, two AntiMimics, known bad file/folder names, hashes, AntiEsfury (folder name heur.), general/blended file heuristics (files are checked in 6 ways)...

What I'm trying to say: to test MCS, one needs to take a large flash drive containing a bunch of files and folders (hundreds or thousands) and then connect the drive to PCs infected with various worm families. Simply put: the more malware you get in there, the bettter detection you'll get. Why? MCS uses, in most of it's routines, adaptive scanning. A lot of different malware shall trigger more detection code; different parts of this code overlap, meaning that on a heavilly infected drive, one same malicious file might be caught several times (so it won't get undetected that easily).

A good example is the log argus posted. All malicious files on both drives are identical. On the first drive, malware was just renamed.
On the other drive, malware was detected by at least two detection routines and got deleted.
As I said, the more, the merrier. 


SpeedyPC asked: do I need this? Well, let's put it this way: MCS is going to try to remove malware (files and folders), restore the attributes of your folders in case it suspects they are hidden by malware, and also try to recover (rename, unhide) your files (some worms also mess with users files, not just folders; they can be either renamed and hidden or simply deleted). If you know how malware works/infects and you have time to spare (I've seen logs with thousands of treated items - this could take a while to fix), all this can be done manually (assuming that you're fully patched and everything that needs to be, is disabled).
If the question is: "I have an AV, does it need help?" - than: oh, yes, your AV needs help. Be it some powerful HIPS so you can do the cleanup manually (without getting infected), or some programs like the one I'm trying to "sell" you.

Compatibility? MCS can work alongside any AV. It doesn't use any drivers or services and it does not protect itself - it is the AV that can cause trouble to MCS (block it while working), but even this won't cause any real trouble.