Avast WEBforum

Other => General Topics => Topic started by: Lisandro on August 27, 2012, 03:17:32 AM

Title: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on August 27, 2012, 03:17:32 AM
Would you go for MCShield?
Seems very good (in performance and protection).
What do you think?

amf.mycity.rs/mcshield
http://amf.mycity.rs/mcshield/Doc/MCShield_Help_EN.pdf

Oh, it runs side-by-side with avast!
Completely freeware.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: schmidthouse on August 27, 2012, 04:34:16 AM
Would you go for MCShield?
Seems very good (in performance and protection).
What do you think?

amf.mycity.rs/mcshield
http://amf.mycity.rs/mcshield/Doc/MCShield_Help_EN.pdf

Oh, it runs side-by-side with avast!
Completely freeware.

I am presently using USB Vacine by Panda Security. I wonder if MC Shield would be better?? ???
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Pondus on August 27, 2012, 04:58:06 AM
you may ask argus and magna86. they use it    ;)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: SpeedyPC on August 27, 2012, 09:30:52 AM
I don't need a 2nd layer protection for USB drives because my Outpost Pro FW already has layer protection for USB & DVD drives all in one ;)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on August 27, 2012, 01:48:24 PM
Sorry but why use and add on when you can have avast check your USB drive.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on August 27, 2012, 03:39:40 PM
Sorry but why use and add on when you can have avast check your USB drive.
2nd layer, heuristic and proactive analysis.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on August 27, 2012, 03:46:15 PM
Sorry but why use and add on when you can have avast check your USB drive.
2nd layer, heuristic and proactive analysis.
If it starts out clean and everything you add is clean, why do you need a second layer or the rest ???
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on August 27, 2012, 04:04:36 PM
If it starts out clean and everything you add is clean, why do you need a second layer or the rest ???
If you need (have to) to use other USB sticks in your computer you'll know it...
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Charyb-0 on August 27, 2012, 04:23:33 PM
I have Outpost removable media protection set to block autorun.inf and block any application from launching that does not have a digital signature. Plus I use a usb immunizer from a different source since avast doesn't provide this.

Avast should release their own usb immunizer so users do not need to go to other sources. This would help to protect any computer that you plug a usb into from autorun based malware.

Thanks for the suggestion.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: DavidR on August 27, 2012, 05:04:37 PM
Step my Removable protection a notch in Outpost to also block the launch of applications that are not signed by trusted digital signature. I don't Enable CD protection though.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: argus on August 27, 2012, 07:35:23 PM
Hello,

Original idea for MCShield are came from USBNoRisk ( first USB malware removal that is designed for helpers ) that we used the our malware removal forum to clean ifected USB flash drives.


USB viruses are not spread via autorun.inf just as everyone thinks.
Malware usually comes through using:


* autorun.inf
* Desktop.ini/comment.htt/ActiveX
* user
* Windows Shell-LNK exploit (newest method)

The program can prevent all known vectors attack.

Example:
How malicious program uses the Desktop.ini files?

Content Desktop.ini file

Code: [Select]
[.ShellClassInfo]
HTMLInfoTipFile=file://Comment.htt
ConfirmFileOp = 0

Content Comment.htt file

Code: [Select]
AppleObject.createInstance()
Set WsShell = AppleObject.GetObject()
Wsshell.run(Path + "malicious_file.EXE")

This is just part of the code Comment.htt file, but as you can see, powered by / run the malicious program.

Double click on the folder icon is enough to start a malicious program and do what it is intended for.
Some of the malware uses this method (Stuxnet), without double-clicking on the folder.


MCShield will automatically disable this malware and put it in quarantine.
Panda USB Vaccine not see this infection.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Pondus on August 27, 2012, 07:47:36 PM
as i understand Panda vaccine will only stop the autorun ....not detect the infection ?
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: schmidthouse on August 27, 2012, 07:58:49 PM
Good information!
Thanks for the input, I believe I will switch.
I also have OPFW set to protect USB and no digitally signed, but what the heck the resources used are nil and the added protection ( 2nd. layer) can't in my estimation hurt. ;) ;D
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: argus on August 27, 2012, 08:00:00 PM
as i understand Panda vaccine will only stop the autorun ....not detect the infection ?

Panda creates an autorun.inf file that after the change the file attribute which proclaims the partition, thus leading the Windows FAT driver to confusion and thus being unable to access the file (and thus prevents malware and uses standard Windows functions to access the file)

but...

Is not a philosophy that I have malware starts to write directly on the disk, without using Windows driver.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: schmidthouse on August 28, 2012, 05:26:26 PM
Just thought I'd say, I use USB alot with shared Flash Drives as this is how I monitor various aspects of my buisness.
Anyway, I read the pdf file supplied, liked what I read and downloaded/install MCShield.
I think it is compac, and find it a very nice tool. Will use it now ;)
One of the small interesting side benefits of staying in touch with whats going on here on the forum.  8) I've mentioned before, I like to read most everything  :P
Nice little didi Tech :D
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on August 28, 2012, 06:09:50 PM
@ Tech,
You've also convinced me. Better safe than sorry. :)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: George Yves on August 28, 2012, 08:45:00 PM
This tool doesn't want to work for me. After the installation I got the Windows pop-up saying that the scanner stopped and would be closed. I disabled scanning removable media and hard drives on the programs start and rebooted. After that the program started well but as soon as I insert a USB-stick I again got the pop-up that the scanner stopped and would be closed.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on August 28, 2012, 08:55:50 PM
This tool doesn't want to work for me. After the installation I got the Windows pop-up saying that the scanner stopped and would be closed. I disabled scanning removable media and hard drives on the programs start and rebooted. After that the program started well but as soon as I insert a USB-stick I again got the pop-up that the scanner stopped and would be closed.


Hm...I'll will contact developers.

Start -> All Programs -> MCShield -> Logs

Please attach here:
AllScans.txt
Summary.txt

Title: Re: 2nd layer protection for USB drives: MCShield
Post by: George Yves on August 28, 2012, 10:07:01 PM
magna86
I have already removed the program and cleaned the system.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: schmidthouse on August 28, 2012, 10:24:07 PM
This tool doesn't want to work for me. After the installation I got the Windows pop-up saying that the scanner stopped and would be closed. I disabled scanning removable media and hard drives on the programs start and rebooted. After that the program started well but as soon as I insert a USB-stick I again got the pop-up that the scanner stopped and would be closed.


Hm...I'll will contact developers.

Start -> All Programs -> MCShield -> Logs

Please attach here:
AllScans.txt
Summary.txt


Good to know there's help near by. ;) :)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on August 28, 2012, 10:39:36 PM
@George Yves
Hm ... Okay. :-\
Interesting crashes you have received, so your logreports would be very interesting.

@schmidthouse
 ;)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on August 28, 2012, 11:50:12 PM
Just thought I'd say, I use USB alot with shared Flash Drives as this is how I monitor various aspects of my buisness.
Anyway, I read the pdf file supplied, liked what I read and downloaded/install MCShield.
I think it is compac, and find it a very nice tool. Will use it now ;)
One of the small interesting side benefits of staying in touch with whats going on here on the forum.  8) I've mentioned before, I like to read most everything  :P
Nice little didi Tech :D
You're welcome.

@ Tech,
You've also convinced me. Better safe than sorry. :)
:)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: iroc9555 on August 29, 2012, 02:19:20 AM
Just to be sure. Is this the page to downoad MCShield ?

http://amf.mycity.rs/mcshield/downloads.html

Because all my Googling sent me to some feature McAfee has also called MCShield.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on August 29, 2012, 02:28:00 AM
Just to be sure. Is this the page to downoad MCShield ?

http://amf.mycity.rs/mcshield/downloads.html (http://amf.mycity.rs/mcshield/downloads.html)

Because all my Googling sent me to some feature McAfee has also called MCShield.
It's where I got it from. :)


Tech's original post gave you the clue:
amf.mycity.rs/mcshield
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on August 29, 2012, 02:36:30 AM
Yeah, MCShield is NOT from McAfee.  8)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: iroc9555 on August 29, 2012, 03:06:50 AM
It's where I got it from. :)

Tech's original post gave you the clue:
amf.mycity.rs/mcshield

Yes, but I don't read Serbian so I took me a while to find it in English

Yeah, MCShield is NOT from McAfee.  8)

I know but look at these:

http://www.neuber.com/taskmanager/process/mcshield.exe.html
https://community.mcafee.com/message/240900
http://www.file.net/process/mcshield.exe.html

I just wanted to be sure it was the same program version you were taking about. Double checking I guess.

Thanks guys.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on August 29, 2012, 03:11:49 AM
Well, I do not read Serbian either  :-[
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on August 29, 2012, 03:18:46 AM
Well, I do not read Serbian either  :-[
Neither do I. :)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: George Yves on August 29, 2012, 09:28:52 AM
@George Yves
Hm ... Okay. :-\
Interesting crashes you have received, so your logreports would be very interesting.
I've just installed it on a computer with WinXP and Avast Free without any third-party anti-spyware. Everything is OK. I'll try to install it again at my home notebook with Vista SP2, Avast Free and SpywareTerminator 2012. I'll do it just to send you the logs.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: George Yves on August 29, 2012, 10:30:40 AM
I just saw a very interesting effect on the WinXP machine I have mentioned above. I was asked to have a look on a file from a USB stick. So, I inserted the stick and MCShield prompted that it was checking it. Soon I was prompted that some malware were detected and moved to the program's quarantine folder. But as soon as the malware files appeared there, Avast signaled that it detected malware in the folder and moved them to its own chest!

Title: Re: 2nd layer protection for USB drives: MCShield
Post by: DavidR on August 29, 2012, 12:43:58 PM
Not so much an interesting effect, just normal as when new files are created they will be scanned by the file system shield, if they are detected then they will be actioned as per your settings.

Whilst the files are in the USB they are inert, when run they would be scanned or in this case moved/copied to the hard disk it is a newly created file which would get scanned (depending on file type).
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: George Yves on August 29, 2012, 12:54:37 PM
Not so much an interesting effect,
I find it interesting because it was totally unexpected. It means that MCShield's quarantine folder occurs not to be safe for keeping removed malware.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: DavidR on August 29, 2012, 01:11:29 PM
Safe is a different interpretation, since any quarantine isn't the location that the file would be if it were sent from the USB to the hard drive any command to run it wouldn't know where it was (e.g. the quarantine location), so the risk is limited.

Yes it would be preferable if it encrypted the data and protected the folder, but that would require that the program be more active than just when you plug a USB in.

It isn't that strange when there are many security programs that done even encrypt their virus signatures just waiting for avast to detect them ;D
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on August 29, 2012, 01:39:52 PM
It means that MCShield's quarantine folder occurs not to be safe for keeping removed malware.
What do you mean? Can the malware be automatically executed when moved into the quarantine?
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on August 29, 2012, 02:10:27 PM
@iroc9555
Yes, thats officijal.  ;)
http://amf.mycity.rs/mcshield
(you may read about us)

Or...
Softpedija - Mirror download link (http://www.softpedia.com/get/Antivirus/MCShield.shtml)

PS: McShield.exe is McAfee related.  :)

@George Yves
I'll try to install it again at my home notebook with Vista SP2, Avast Free and SpywareTerminator 2012. I'll do it just to send you the logs.
Thank you very much for that.  ;)

@All
> Files in Quarantine are completely harmless and they are not executable.

If you have any questions or concerns, be free to ask:
Code: [Select]
mcshield.support[at]gmail.com
................

There are many articles by others that have been written about MCShield. Some are on our language as well as English.
I currently have this link in hand:
http://www.insightsintechnology.com/2012/03/mcshield-2-shields-pc-from-usb.html

Just for records  ;D

MCShield where tested on huge number of malware and worms ( even the latest one ).
Not only on our labolatory or on some virtual machines, we do in practice (schools, copy photo shops and similar institutions where the high frequency of use USB Memory drives.
We test and compare MCShield with Panda and USB Security and MCS hase convincingly beat known competition.
And its freewere.



PS: Question for all of you guys if you dont mind.  :)

Could it be someone in a mood to translate MCShield into another language?
Currently, MCShield has been translated into three languages:
English; Serbian; Polski.

Translation is easy, and if maybe someone are in the mood just let me know to PP.
Anyone who is willing to do so, will be hung a nickname ( or full name ) in the MCShield > Abaut > Credits ( of course if you want to )




Thanks for review  ;)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on August 29, 2012, 02:43:01 PM
PS: McShield.exe is McAfee related.  :)
???
http://amf.mycity.rs/mcshield/about.html
Where are you seeing evidence for this affirmation?
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on August 29, 2012, 02:57:31 PM
http://amf.mycity.rs/mcshield/about.html
Where are you seeing evidence for this affirmation?

Or you did not understand me or I was not clear enough.

McShield.exe ( \%Program Files%\McAfee ) is McAfee related.
MCShieldRTM.exe [MC- aka MyCity] ( \%Program Files%\MCShield) is MCShield Anti Malware tool related.

Title: Re: 2nd layer protection for USB drives: MCShield
Post by: George Yves on August 29, 2012, 04:28:32 PM
It means that MCShield's quarantine folder occurs not to be safe for keeping removed malware.
What do you mean? Can the malware be automatically executed when moved into the quarantine?
When an anti-malware program moves something into its quarantine folder, I expect that no other anti-malware program will find them dangerous. But as I have said above, Avast detected files in MCShield's quarantine as threats and moved them into its own chest. So, if Avast found already quarantined items as threats, I supposed that MCShield's quarantine folder is not safe.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: George Yves on August 29, 2012, 04:59:22 PM
Hm...I'll will contact developers.

Start -> All Programs -> MCShield -> Logs

Please attach here:
AllScans.txt
Summary.txt


Well, I didn't find the logs in the program's folder. Maybe it's because I have Vista SP2, not XP. I found them in C:\ProgramData\MCShield. The files were empty: there were only their names inside them - >>> MCShield AllScans.txt <<< and >>> MCShield Summary.txt <<<.

If you need, I have dumps from the latest crashes. For every crash Windows created a set of files: AppCompat.txt, Version.txt, memory.hdmp and minidump.mdmp.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on August 29, 2012, 06:18:25 PM
I just created a bootable USB drive and forgot to take it out of the computer.
When I rebooted, MCShield changed some of the files to make booting impossible......
(not a good moove.  :( )
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: schmidthouse on August 29, 2012, 06:24:49 PM
I just created a bootable USB drive and forgot to take it out of the computer.
When I rebooted, MCShield changed some of the files to make booting impossible......
(not a good moove.  :( )

Interesting, I've never done that, but didn;t think of that either ::) ???
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on August 29, 2012, 09:41:14 PM
MCShield changed some of the files
Do you have details? I'll drop my recommendation if it is changing files... It shouldn't. It should be only a heuristic scanner.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: dr_Bora on August 29, 2012, 10:19:25 PM
Hello, I'm one of the authors of the program you are discussing.
I saw some interesting questions and thought I'd reply. I hope this will not be considered spam/advertising by the moderating team (if that's the case, nuke the post and accept my apology).


@bob3160: normally, a flash drive is a storage media and if used that way, false detections should not occur, but there's a number of legit programs (example: Lupo Pen Suite and similar, bootable drives, memory cards used in some devices) that use either different autorun methods or exhibit certain behavior that can often be seen on infected drives.
To prevent these FPs, MCS has a whitelist containing hashes of a number of known legitimate files that need to be protected from detection. Unfortunately, I'm the only one that maintains this database and I definitely have no way of knowing about every possible program that would need to be protected from detections.
Obviously, false positives must happen from time to time and they are fixed when users report them to me.
So, if you show me the logfile of that scan, the files are going to be whitelisted and the detections will not reoccur (I need the log because it contains the MD5s of the files).

@Tech: the program renames or moves to quarantine, it never changes the contents of the files. So, you can't really loose a file (or it's contents) that was detected, it's always there, either in the original location (renamed) or in the quarantine folder.


As far as the name goes, beginning from version 2 the program's official name is: "MCShield ::Anti-Malware Tool::" (it was only MCShield before). The name was changed so that a certain AV vendor wouldn't get mad at us.  :)
Of course, my intention was never to confuse people and make them believe that MCS has something with McAfee and MC stands for MyCity (my home forum).


The quarantine and occasional detections that AVs make in there... Yes, I agree that this is not perfect and the other programmer and I discussed the encryption many times, but we never got to making it. You know, real life, jobs and stuff like that. Hopefully, we'll get to it one day.

Is the quarantine safe? Well, malware in that folder can't start by itself. So, unless you go there and start clicking on files you know to be malicious, you won't have any problems.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: schmidthouse on August 29, 2012, 10:27:22 PM
@ dr_Bora
THank you for further information as I have recently installed and am using MCShield, simply as I've stated to monitor exchanging USB devices.
Appreciate your time. :)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on August 29, 2012, 11:33:16 PM
Thanks for coming Bora and thanks for the information.
Keep your good work.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on August 30, 2012, 12:12:05 AM
Quote
@bob3160: normally, a flash drive is a storage media and if used that way, false detections should not occur, but there's a number of legit programs (example: Lupo Pen Suite and similar, bootable drives, memory cards used in some devices) that use either different autorun methods or exhibit certain behavior that can often be seen on infected drives.To prevent these FPs, MCS has a whitelist containing hashes of a number of known legitimate files that need to be protected from detection. Unfortunately, I'm the only one that maintains this database and I definitely have no way of knowing about every possible program that would need to be protected from detections.Obviously, false positives must happen from time to time and they are fixed when users report them to me.So, if you show me the logfile of that scan, the files are going to be whitelisted and the detections will not reoccur (I need the log because it contains the MD5s of the files).
Thanks for the prompt reply and welcome to the forum dr_bora,
I see the 3 folders in question but, where are they located ???


(http://my.jetscreenshot.com/2701/m_20120829-ypsa-40kb.jpg) (http://my.jetscreenshot.com/2701/20120829-ypsa-40kb)





>>> MCShield v 2.1.4.13 / DB: 2012.8.28.1 <<<




8/29/2012 4:06:30 PM > Drive F: - scan started (no label ~31183 MB, NTFS flash drive )...


>>> F:\autorun.inf > Suspicious > Renamed.


>>> F:\setup.exe - Suspicious > Renamed. (MD5: 0b60f00ae3f2bb298060f6655612691e)




=> Suspicious files  : 2/2 renamed.


____________________________________________


::::: Scan duration: 37s :::::::::::::::::::
____________________________________________



Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on August 30, 2012, 12:15:54 AM
The program I used to create the bootable USB comes from Microsoft and can be found at:
http://www.microsoftstore.com/store/msstore/html/pbPage.Help_Win7_usbdvd_dwnTool (http://www.microsoftstore.com/store/msstore/html/pbPage.Help_Win7_usbdvd_dwnTool)



(http://my.jetscreenshot.com/2701/m_20120829-o4um-19kb.jpg) (http://my.jetscreenshot.com/2701/20120829-o4um-19kb)


(http://my.jetscreenshot.com/2701/m_20120829-rlko-19kb.jpg) (http://my.jetscreenshot.com/2701/20120829-rlko-19kb)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: George Yves on August 30, 2012, 12:02:18 PM
So, unless you go there and start clicking on files you know to be malicious, you won't have any problems.
That is the problem. According to a famous Russian writer Anton Chekhov, "If in the first act you have hung a pistol on the wall, then in the following one it could be fired."
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Chris Thomas on August 30, 2012, 04:31:41 PM
Will this work with Windows 8?
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on August 30, 2012, 10:56:48 PM
Will this work with Windows 8?
I'm running Windows 8    so you be the judge.  ;)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: George Yves on August 31, 2012, 06:04:09 PM
As I said I can't use MCShield on my home computer. But could anybody advise me any freeware analogue?
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on August 31, 2012, 07:37:58 PM
I never heard one... This is why I've aired it out at the beginning. Seems unique (by now).
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: dr_Bora on August 31, 2012, 10:07:53 PM
@bob3160, sorry for the late reply, I was away.

The file in the log, setup.exe, is whitelisted in DB 2012.8.31 and won't be detected anymore.

Regarding those folders... They are not from the same scan as the Setup program. Unless you're 100% sure that those are of legitimate origin, just leave them quarantined.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on August 31, 2012, 10:28:20 PM
@bob3160, sorry for the late reply, I was away.

The file in the log, setup.exe, is whitelisted in DB 2012.8.31 and won't be detected anymore.

Regarding those folders... They are not from the same scan as the Setup program. Unless you're 100% sure that those are of legitimate origin, just leave them quarantined.
They are a part of the original .iso dowload from Microsoft.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on September 01, 2012, 07:54:31 PM
MCShield in action for me for the first time:

>>> MCShield v 2.1.4.13 / DB: 2012.8.31.1 <<<
01/09/2012 14:49:04 > Drive H: - scan started (~3817 MB, FAT32 flash drive )...
>>> H:\autorun.inf > Suspicious > Renamed.
>>> H:\SecureII\Windows\SecureII.exe - Suspicious > Renamed. (MD5: a56e7680a6d2940dafa668585a89d5a2)

=> Suspicious files  : 2/2 renamed.
____________________________________________

::::: Scan duration: 20s :::::::::::::::::::
____________________________________________

But seems a false positive:
https://www.virustotal.com/file/f1850adf458d0610ad84d6eab622ed49aea2f597375465c088784f0d46727722/analysis/


By the way, the light on the usb stick becomes RED when this happen :)
Is it a coincidence?
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on September 01, 2012, 08:13:40 PM
MCShield in action for me for the first time:

>>> MCShield v 2.1.4.13 / DB: 2012.8.31.1 <<<
01/09/2012 14:49:04 > Drive H: - scan started (~3817 MB, FAT32 flash drive )...
>>> H:\autorun.inf > Suspicious > Renamed.
>>> H:\SecureII\Windows\SecureII.exe - Suspicious > Renamed. (MD5: a56e7680a6d2940dafa668585a89d5a2)

=> Suspicious files  : 2/2 renamed.
____________________________________________

::::: Scan duration: 20s :::::::::::::::::::
____________________________________________

But seems a false positive:
https://www.virustotal.com/file/f1850adf458d0610ad84d6eab622ed49aea2f597375465c088784f0d46727722/analysis/ (https://www.virustotal.com/file/f1850adf458d0610ad84d6eab622ed49aea2f597375465c088784f0d46727722/analysis/)


By the way, the light on the usb stick becomes RED when this happen :)
Is it a coincidence?
Exactly what happened to me and made my bootable USB un-bootable.
I've removed it and am letting avast! do the job. :)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: schmidthouse on September 01, 2012, 10:31:53 PM
Just to update.
Ive used MCShield now for a few days and a dozen or so different Flash Drives given me and no problem with the Shield doing its job under my circumstances. ;)
With the bootable Flash Drive it seems there are limitations or something......I don't know.
Anyway, for me, I'm running it every day and like it much better then USB Vacine. :) 8)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on September 01, 2012, 11:12:21 PM
For sure it would be better to configure it to "ask" and not to automatically take actions.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: schmidthouse on September 01, 2012, 11:26:49 PM
For sure it would be better to configure it to "ask" and not to automatically take actions.

+100  Agreed it would  :)
Edit:  Possibly one of the authors could take note. ;)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: dr_Bora on September 02, 2012, 12:04:12 AM
@Tech, the file is whitelisted, detection won't occur after update.

@bob2160, don't get me wrong, I'm not here to argue, but... The program just did what it is meant to do.
Basically, it's a generic scanner (probably 99% of detections are infection based heuristics) meant to block USB transmitted malware using any known attack vector.
Because of the fact that files on removable drives are not critical for the proper functionality of your OS, MCS can go a step further than an antivirus can and be much more aggressive. Precisely that is the reason why I never got any reports of flash infections on computers running MCS in a period of more than 2 years.
And no, I'm not saying it detects everything, but it detects enough to prevent infections.
Anyway, thanks for trying and the feedback, it's appreciated.


These generic autorun detections simply happen when a new/updated software using autorun feature is published. When I'm informed about it, the detections get prevented. That's the only way I can make sure that a PC doesn't get infected using autorun. Alternative would be to do as an AV does: wait for a signature of a piece of malware (but that would make MCS quite pointless: it's suppose to help the AV with new malware, not have the same "problem" as the AV does).

Bootable drives are treated the same way as any other drive and there are no special issues regarding those. I'll do some testing with Win8 setup flash disk to see what are those folders doing there (it's a name for a protected system folder, I have a hard time understanding why would MS put those folders on a setup disk - if they are supposed to be there, I'll adjust the program logic behind those detections /that detection is not database based, it is hardcoded - folder with that name, in the root of a drive can be both legit and bad; the program tries to determine what is what.../).

schmidthouse mentioned Panda... No intention to talk bad about "competition"  :), just believe that this needs to be said: Panda USB vaccine provides a certain amount of protection on older operating systems where autorun functionality can be exploited. It creates an autorun.inf file (which can be considered as a loading point) and sets an illegal attribute on it (instead of being marked as a file, that autorun.inf is marked as a volume and because of that can not be opened using standard Windows functions). There are two things to note regarding this:
- autorun is just one of the ways the infection can be started;
- this is not bulletproof; although they say you need to format the drive to remove the file, that file can be removed (a dll that comes with MCS has functions that can both create those files and remove them - this is not used because I think it is not a good approach, but, the point is, if MCS can do it, what is to prevent malware from doing it?).



Automatic mode and why MCS can't ask what to do... First, some things are time critical (autorun and the exploits), I can't ask because by the time user responds it could be to late. Second, malware uses a lot of tricks and an average user doesn't have enough knowledge to respond properly.
An example: MCShield scans a memory card on a camera and tells the user that X:\DCIM.exe is malware... Most people would think I'm insane and that I'm trying to delete their pictures because a folder named DCIM is where their pictures are. Of course, this is simple stuff for a power user, but for an average one, it's not really that simple.

Anyway, to implement some kind of expert mode where program would do what must be done right away and then ask the user for the rest would be brutally complicated and require a total rewrite of the program. To do this, I'd have to stop working on malware detection routines for at least six month and I'm not sure it's worth it. Yes, I know it doesn't look good when the first thing a program does is to make a false positive, but belive me when I say it doesn't happen that often. Currently, the whitelist contains only 111 files that had to be protected from detection. Don't know what you think of it, but I'd say that's not bad considering the program is more that 2 years old and that the number of treated items reported so far is 223173.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: schmidthouse on September 02, 2012, 12:34:09 AM
@ dr_Bora.
Thanks for the added information.
I appreciate the time you've taken to explain your program. :) 8)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on September 02, 2012, 03:19:44 AM
Thanks Bora.
I can follow the logic behind the programming decisions.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: polonus on September 12, 2012, 02:48:27 PM
Hi folks,

My forum friend, Pondus, alerted me to this 2nd layer protection for usb, and I decided to install. If something is detected it alerts early in the scan sequence that the particular drive is infected, and you are advised not to interrupt. Advanced users will like to check against a FP. On the other hand the logs neatly produce a hash for what is found, but that is sometimes no garantuee for getting the actual infection info you'd like to have a verifiable indication.
The only software that is specific for USB, but has to come installed there or on the PC  is called MX One Antivirus, it is a Mexican freeware and runs neatly alongside your resident av solution. I did missed the comparison of these two products in this thread. Maybe someone can comment?
Also good is when you do not travel or use peripherals, you can disable it for the time you have no need for it.
I would say, a little minus for the interfase being a bit basic, big plus for detection of  infections that normally go under the detection radar, like desktop.ini etc. Use it like "an extra mirror to look into the normally blind corners",

polonus


Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Theo Peterbroers on September 12, 2012, 03:49:23 PM
And while we're at it, here are some more USB antivirus products.

PNY antivirus, http://www. y2000.com.tw/Engweb/pnyusbav.html (rebranded Snowy Owl antivirus)
Naevius USB Antivirus http://www. naevius.com/usb_antivirus.htm

I know for sure, that there are more USB antivirus products that I did not bookmark. Any interest in a list?
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Theo Peterbroers on September 12, 2012, 04:06:30 PM
Naevius is also referred to from the future (Posted on 05-07-2013):
hXXp://www. bestfreeantivirus2013.net/ free-ernt-system-antivirus-2013/

They also have links to Free Usb Flash Drive Autorun Antivirus 2013 and Free Antisapetik Usb 2013 Antivirus
hXXp://www. bestfreeantivirus2013.net/ free-usb-flash-drive-autorun-antivirus-2013/
hXXp://www. bestfreeantivirus2013.net/ free-antisapetik-usb-2013-antivirus/

EDIT And some more, seems to be a lukewarm item, I might say 'somewhat trending' to keep up with the hipsters.
hXXp://download. cnet.com/USB-Drive-Antivirus/3000-2239_4-10841283.html
hXXp://www. usbantivirus.net/
hXXp://www. trustport.com/en/products/trustport-usb-antivirus
hXXp://www. softpedia.com/downloadTag/USB+Antivirus (GGreat is Snowy Owl, see previous post)
hXXp://thepcsecurity. com/mx-one-free-usb-portable-antivirus-for-malware-removal/
hXXp://usb-av-antivirus. en.malavida.com/
hXXp://www. hongkiat.com/blog/tools-to-protect-computer-from-infected-usb-drives/
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: polonus on September 12, 2012, 05:14:19 PM
Hi Kwartet!,

Thanks for the survey. Handy for those testers out here....
This thread will probably continue because protection of peripheral (flash) disks will be more and more of an issue for all of us.

Quote
From Plug and Play and  then Pray to Plug and Play in a Better and more  Secure Way...

The rhyme quote I made up myself...

As I look for effectiveness and I compare MX One to McShield 2.1.413 I would go for the second solution.
On an old usb stick that I scanned  McShield found another issue, an autorun.inf and came to rename that.
MX One just found a lot of unknown files always and wanted to send these home for further evaluation.
So it reminded me more of a data collection tool.
The actions thereof reminded me of the RUBotted beta tool.
It sits there in the background and never alerted me to anything and the logs are still empty from the mo I installed it..
The only thing I like McShield  to add really is possible user interaction before malcode is being processed,
so there is room for a second op....

polonus
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: George Yves on September 12, 2012, 05:44:03 PM
The only software that is specific for USB, but has to come installed there or on the PC  is called MX One Antivirus, it is a Mexican freeware and runs neatly alongside your resident av solution. I did missed the comparison of these two products in this thread. Maybe someone can comment?
I tried to install this program. First of all, I want to note that I could not download it from the manufacturer. After clicking on the download button I was redirected to another site that has been blocked by Bitdefender Traffic Lights extension in my Firefox as a site with malicious content. Well, I opened Google Search and found http://mx-one-antivirus.en.malavida.com/ where I downloaded not the installation file but a small program that in its turn downloaded the installation file right on my desctop. After that I started the installation process during which Avast's Autosandbox asked me several times if I want to start every component sandboxed.

The first window asked me what I want: to install the program on a USB or on my computer. I chose the second option. Then I was asked about the installation process language and I chose Russian. During the process I was asked if I would like to install a Babylon toolbar and I had to uncheck three boxes to refuse. One of the windows asked me to choose the interface language - I had to choose English because they haven't Russian. Strange but they could find Russian only for the installation windows. After the installation I got the program's icon in the system tray - a simple blue square with white letters "MO". Not very informative, I think. When I right-clicked it I saw a menu not fully translated from Spanish and with automatically checked option "Disable Real Time Protection".

Then I was prompted that the program needs to update its database and I allowed the updating. It took less than 20 seconds to update the database. Now I tried to test the program. I don't have an infected USB and I inserted one of my USBs just to see it in action. In two seconds I saw the result (see my screenhot 2). I clicked OK and got the suggestion to analyze the USB by full (screenshot 3). I agreed and instantly got the same result as in MO1. I clicked OK again and saw the scan results window (screenshot 4). I closed the window and saw the main window (screenshot 1) which I closed too.

My first impression is that the program is fast but the interface needs a lot of improvement and translation.

(http://s55.radikal.ru/i149/1209/bc/aeac75a22d79.jpg) (http://s018.radikal.ru/i524/1209/45/52dc39078753.png)  (http://i064.radikal.ru/1209/df/480fea049b31.jpg) (http://i032.radikal.ru/1209/4b/d27aa23da450.png)  (http://s54.radikal.ru/i143/1209/69/bb25844cf6c1.jpg) (http://s015.radikal.ru/i333/1209/6c/8bac083e3359.png)  (http://s019.radikal.ru/i608/1209/24/d6c52c0d84bf.jpg) (http://s41.radikal.ru/i092/1209/b1/e23490daa059.png)

Title: Re: 2nd layer protection for USB drives: MCShield
Post by: schmidthouse on September 12, 2012, 06:25:41 PM
Hi: I continue to use MCShield v.2.1.4 with no problems.
I have it set as 'on demand'. When using USB I execute MCS before inserting device. MCS updates immediatlely and then scans the Flashdrive.
I then allow MCS to run as I work through various Flashdrives.
Works for me. ;) :)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Theo Peterbroers on September 12, 2012, 07:55:47 PM
Last part of my contribution, I reached page 20 of google and filtered against cnet, naevius, and some more. There are rogue sites offering to uninstall naevius, I saw some crack and keygen sites. All Youtube stuff is useless at best (showing you where to click), malicious at worst (linking to rogue software).

hXXp://www.myantispyware. com/2009/01/08/flash-disinfector-free-autoruninf-trojans-removal-tool/
hXXp://usb-disk-security. com/
hXXp://www.itechdaddy. com/USB_Antivirus.aspx
hXXp://www.ehow. com/list_6657744_usb-antivirus-tools.html
hXXp://www.autorunremover. com/effective-antivirus.html (I believeI saw that one in one of the links above)
hXXp://www.usbqc. com/
hXXp://kenai. com/projects/petirojo/sources/petirojo-svn/show
hXXp://www.usb-security-protection. com/download.html
hXXp://www.mydigitallife. info/new-lg-vaccine-usb-flash-drive-with-antivirus-and-malware-protection-software/

DOUBTFUL
hXXp://www.ubergizmo. com/2010/04/u-usb-hub-with-antivirus-scanning
hXXp://www.youtube. com/watch?v=qNrs89LadtU
hXXp://www.youtube. com/watch?v=1Woiwas1OQU LEGIT?
hXXp://www.youtube. com/watch?v=WehY2YoiBKk NOT LEGIT

I did contemplate about software to be installed on the usb device. This seems to offer protection to other pc's and environments (Linux, OS/X). But it also implies some form of autorun wherever it is supposed to be active. Autorun we avoid like the plague. Any protection to other pc's and environments should therefore be static.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: DavidR on September 12, 2012, 08:59:08 PM
When posting suspect urls it is best to break the link in a way so as there is no part of it displayed as an active link.

The easiest way to do that is to change http to hXXp e.g. hXXp://www.ehow.com/list_6657744_usb-antivirus-tools.html, so you just see a text format and the forum software doesn't show it as an active link.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: polonus on September 12, 2012, 10:29:30 PM
Hi DavidR,

Even a combination of these methods is to be preferred I think. If I give in htxp://wXw etc. I just have to highlight everything after the htxp:// and hopla it will open up in the browser as I give in enough of the location header (sometimes I do not even need to put www there - google will assist me to go there ).
If the broken link is a combination of your adopted breaking methods and spaces in between www domain name etc, no-one can load it mistakenly in the way I described. The same goes for placing a hyphen right in fromt of an address, this can also be mistakingly be circumvented.
Somewhere we have to address this, but again and again I see newbies here that give live malware links all sorts, and some can be lively dangerous to click through, especially without ample precaution inside a browser and software that is exploitable (drive-by-downloads, incognito malcode and the like)...

polonus
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on September 12, 2012, 11:43:57 PM
Damien,
You can't stop those that want to visit infected sites from getting there. (True Indian managed to do it.....  :D :D :D )
As long as someone can't accidently click on a live link, that should be sufficient IMHO.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: DavidR on September 13, 2012, 12:34:22 AM
The main point is that it doesn't create create any part of what appears to be an active link. The URL with a space before the .com has the forum software trying to make it active. There are some browsers that will try to correct that malformed URL and the user could end up at the suspect/malicious site.

Hell avast may even do that with its SiteCorrect feature and Auto redirect enabled, assuming it works on your browser.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Theo Peterbroers on September 13, 2012, 09:38:50 AM
Then I underestimated the browsers, OMG all those things one has to take account of.  BTW, 'tis not malware I linked to.

@polonus: that was my reasoning for including a space.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: true indian on September 13, 2012, 02:14:26 PM
<snip> (True Indian managed to do it.....  :D :D :D )

somebody remembered me  ;D

Lah!!! ;D I didnt even infect my system...I do testing on a VM  ;)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on September 13, 2012, 09:55:50 PM
Guys, just wish to point out a couple things.  :)

There are bunch of USB Antivirus softwares. Some of them are good but...
Among few things, the main difference between those USB antivirus software and MCShield is:

- USB antivirus programs mainly work at the level of definition.
That means if your USB stick is infected by some malware, it will be blocked and removed by some USB AV only if it has his signature.

- MCS mainly works with his heuristics.
That means if your USB is infected by some malware, MCS will block and remove malware if using any known attack vector.

There is one more thing to know. There is no perfect softwere.   ;D



Title: Re: 2nd layer protection for USB drives: MCShield
Post by: SpeedyPC on September 14, 2012, 07:58:25 AM
There is one more thing to know. There is no perfect softwere.   ;D

100% correct ;) and the real question is do I really need MCShield when Avast & Outpost Pro FW both doing their job when I inserted the USB to my PC ??? :o
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: argus on September 14, 2012, 08:47:06 AM
If you have 20 folders on a USB drive any of them is worm, MCS will be disinfected each folder separately, Here's examples of the log.
This is a beta version of V.1.  ;D

10.4.2010 21:41:58 > Checking F: ( ~2 GB, FAT flash drive )...

>>> F:\autorun.inf > Renamed.


---> Traces of file replicators have been found!

---> Running generic s&d routine...


---> Note: Win32.Brontok has been identified!

>>> F:\pozuda\malena.exe - Worm > Deleted. (10.04.10. 21.50 malena.exe.310803)

>>> F:\7-Zip Portable.exe - Worm > Deleted. (10.04.10. 21.50 7-Zip Portable.exe.775413)

>>> F:\AbiWord Portable.exe - Worm > Deleted. (10.04.10. 21.50 AbiWord Portable.exe.164937)

>>> F:\autorun.exe - Worm > Deleted. (10.04.10. 21.50 autorun.exe.370266)

>>> F:\AM-DeadLink.exe - Worm > Deleted. (10.04.10. 21.50 AM-DeadLink.exe.512535)

>>> F:\ArcThemALL!.exe - Worm > Deleted. (10.04.10. 21.50 ArcThemALL!.exe.882467)

>>> F:\Audacity.exe - Worm > Deleted. (10.04.10. 21.50 Audacity.exe.211817)

>>> F:\DCU.exe - Worm > Deleted. (10.04.10. 21.50 DCU.exe.223767)

>>> F:\Defraggler.exe - Worm > Deleted. (10.04.10. 21.50 Defraggler.exe.220542)

>>> F:\Directory Lister.exe - Worm > Deleted. (10.04.10. 21.50 Directory Lister.exe.26955)

>>> F:\Double Driver.exe - Worm > Deleted. (10.04.10. 21.50 Double Driver.exe.843601)

>>> F:\DSynchronize.exe - Worm > Deleted. (10.04.10. 21.50 DSynchronize.exe.402451)

>>> F:\DTaskManager.exe - Worm > Deleted. (10.04.10. 21.50 DTaskManager.exe.988153)

>>> F:\DVD Shrink.exe - Worm > Deleted. (10.04.10. 21.50 DVD Shrink.exe.231047)

>>> F:\eMule.exe - Worm > Deleted. (10.04.10. 21.50 eMule.exe.971208-)

>>> F:\EssentialPIM Portable.exe - Worm > Deleted. (10.04.10. 21.50 EssentialPIM Portable.exe.308648-)

>>> F:\Extra.exe - Worm > Deleted. (10.04.10. 21.50 Extra.exe.765168-)

>>> F:\Fast Explorer.exe - Worm > Deleted. (10.04.10. 21.50 Fast Explorer.exe.365914)

>>> F:\Data ADMINISTRATOR.exe - Worm > Deleted. (10.04.10. 21.50 Data ADMINISTRATOR.exe.157152)

>>> F:\7-Zip Portable\7-Zip Portable.exe - Worm > Deleted. (10.04.10. 21.50 7-Zip Portable.exe.49016)

>>> F:\7-Zip Portable\App\App.exe - Worm > Deleted. (10.04.10. 21.51 App.exe.685574)

>>> F:\7-Zip Portable\App\7-Zip\7-Zip.exe - Worm > Deleted. (10.04.10. 21.51 7-Zip.exe.939444)

>>> F:\7-Zip Portable\App\7-Zip\Lang\Lang.exe - Worm > Deleted. (10.04.10. 21.52 Lang.exe.984123)

>>> F:\7-Zip Portable\App\DefaultData\settings\settings.exe - Worm > Deleted. (10.04.10. 21.52 settings.exe.299917)

>>> F:\7-Zip Portable\Docs\Docs.exe - Worm > Deleted. (10.04.10. 21.52 Docs.exe.606395)

>>> F:\7-Zip Portable\Docs\Other\Help\images\images.exe - Worm > Deleted. (10.04.10. 21.52 images.exe.121514)

>>> F:\7-Zip Portable\Docs\Other\Source\Source.exe - Worm > Deleted. (10.04.10. 21.52 Source.exe.434815)

>>> F:\AbiWord Portable\AbiWord Portable.exe - Worm > Deleted. (10.04.10. 21.52 AbiWord Portable.exe.9760)

>>> F:\AbiWord Portable\App\App.exe - Worm > Deleted. (10.04.10. 21.52 App.exe.951171)

>>> F:\AbiWord Portable\App\DefaultData\settings\settings.exe - Worm > Deleted. (10.04.10. 21.52 settings.exe.579467)

>>> F:\AbiWord Portable\Docs\Docs.exe - Worm > Deleted. (10.04.10. 21.53 Docs.exe.941481)

>>> F:\AbiWord Portable\Docs\Other\Help\images\images.exe - Worm > Deleted. (10.04.10. 21.53 images.exe.303804)

>>> F:\AbiWord Portable\Docs\Other\Source\Source.exe - Worm > Deleted. (10.04.10. 21.53 Source.exe.506247)

>>> F:\AM-DeadLink\AM-DeadLink.exe - Worm > Deleted. (10.04.10. 21.53 AM-DeadLink.exe.400385)

>>> F:\AM-DeadLink\lang\lang.exe - Worm > Deleted. (10.04.10. 21.53 lang.exe.842605)

>>> F:\Extra\Eigenmath\Eigenmath.exe - Worm > Deleted. (10.04.10. 21.53 Eigenmath.exe.380858-)

>>> F:\Extra\eToolz\eToolz.exe - Worm > Deleted. (10.04.10. 21.53 eToolz.exe.936342)

>>> F:\Extra\eXpresso\eXpresso.exe - Worm > Deleted. (10.04.10. 21.53 eXpresso.exe.139397)

>>> F:\Extra\FileTypesMan\FileTypesMan.exe - Worm > Deleted. (10.04.10. 21.53 FileTypesMan.exe.413121)

>>> F:\Extra\HD Tune\HD Tune.exe - Worm > Deleted. (10.04.10. 21.53 HD Tune.exe.755064)

>>> F:\Extra\HotKeyz\HotKeyz.exe - Worm > Deleted. (10.04.10. 21.53 HotKeyz.exe.259995)

>>> F:\Extra\HxD\HxD.exe - Worm > Deleted. (10.04.10. 21.53 HxD.exe.853525)

>>> F:\Extra\KiTTY\KiTTY.exe - Worm > Deleted. (10.04.10. 21.53 KiTTY.exe.286650)

>>> F:\Extra\md5hash\md5hash.exe - Worm > Deleted. (10.04.10. 21.53 md5hash.exe.545199)

>>> F:\Extra\MyUninstaller\MyUninstaller.exe - Worm > Deleted. (10.04.10. 21.53 MyUninstaller.exe.38059)

>>> F:\Extra\NetSetMan\NetSetMan.exe - Worm > Deleted. (10.04.10. 21.53 NetSetMan.exe.146698-)

>>> F:\Extra\NetWorx\NetWorx.exe - Worm > Deleted. (10.04.10. 21.53 NetWorx.exe.706599)

>>> F:\Extra\RegASSASSIN\RegASSASSIN.exe - Worm > Deleted. (10.04.10. 21.53 RegASSASSIN.exe.593608-)

>>> F:\Extra\RegFromApp\RegFromApp.exe - Worm > Deleted. (10.04.10. 21.53 RegFromApp.exe.991573)

>>> F:\Extra\Registry Tweaker\Registry Tweaker.exe - Worm > Deleted. (10.04.10. 21.53 Registry Tweaker.exe.739955)

>>> F:\Extra\RegScanner\RegScanner.exe - Worm > Deleted. (10.04.10. 21.53 RegScanner.exe.508190)

>>> F:\Extra\Regshot\Regshot.exe - Worm > Deleted. (10.04.10. 21.53 Regshot.exe.149955)

>>> F:\Extra\ShellExView\ShellExView.exe - Worm > Deleted. (10.04.10. 21.53 ShellExView.exe.61148-)

>>> F:\Extra\ShellMenuView\ShellMenuView.exe - Worm > Deleted. (10.04.10. 21.53 ShellMenuView.exe.698541)

>>> F:\Extra\SQLiteSpy\SQLiteSpy.exe - Worm > Deleted. (10.04.10. 21.53 SQLiteSpy.exe.494020)

>>> F:\Extra\Unlocker Portable\App\Unlocker\Unlocker.exe - Worm > Deleted. (10.04.10. 21.53 Unlocker.exe.963310)

>>> F:\Extra\USBDeview\USBDeview.exe - Worm > Deleted. (10.04.10. 21.53 USBDeview.exe.588064)

>>> F:\Extra\VirtuaWin\VirtuaWin.exe - Worm > Deleted. (10.04.10. 21.53 VirtuaWin.exe.816264)

>>> F:\Extra\Volumouse\Volumouse.exe - Worm > Deleted. (10.04.10. 21.53 Volumouse.exe.824672)

>>> F:\Extra\WinIPS\WinIPS.exe - Worm > Deleted. (10.04.10. 21.53 WinIPS.exe.667293)

..........

> F:\pozuda
>>> F:\pozuda - Worm.Traces > Deleted. (10.04.10. 21.57 pozuda.449012)

>>> F:\pozuda.exe - Worm.Sus > Renamed.

> Restoring defaults: F:\7-Zip Portable

> Restoring defaults: F:\AbiWord Portable

> Restoring defaults: F:\AM-DeadLink

> Restoring defaults: F:\ArcThemALL!

> Restoring defaults: F:\Audacity

> Restoring defaults: F:\DCU

> Restoring defaults: F:\Defraggler

> Restoring defaults: F:\Directory Lister

> Restoring defaults: F:\Double Driver

> Restoring defaults: F:\DSynchronize

> Restoring defaults: F:\DTaskManager

> Restoring defaults: F:\DVD Shrink

> Restoring defaults: F:\eMule

> Restoring defaults: F:\EssentialPIM Portable

> Restoring defaults: F:\Extra

> Restoring defaults: F:\Fast Explorer


The message exceeds the maximum allowed length (10000 characters).

Not all the care in the post  ;D
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: polonus on September 14, 2012, 02:15:40 PM
I had a problem to-day with McShield 2, start-up on Vista failed and a repair to" last good start up" removed just McShield 2. The I also checked SpywareBlaster and saw I had to restore protection in SpywareBlaster for some IE protection items. Why this happened? Two Skype plug-in that I uninstalled were back installed in IE after that repair routine. I disabled them again, restored full protection and re-installed McShield 2. I think Skype is behaving rather aggressive. I will see what will happen next,

polonus
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: adotd on September 14, 2012, 02:32:30 PM
I have MCShield on my computer

it renamed a file called explorer.exe on my memory stick to explorer.exe.vir

it said it was suspisous however it was a problem that i renamed to explorer.exe  ::)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: polonus on September 14, 2012, 02:44:21 PM
Hi adotd,

As with all solutions that have to prove themselves, we will keep a scrutinous eye on this one. Might be it gives this second layer of additional protection others do not have, and that is a valuable asset. You know however going on full heuristics does also mean you are meant to meet the next false positive. So there always should be a mix of detection methods involved. Also what I miss is user interaction when some issue has been detected. At least a hash look-up or an indication of the malware type and subtype, so the user might explore what it is all about what is being flagged. There is a might of difference between finding up some packer heuristics for riskware and a highly dangerous file infector of some sort. But as the protection range of this av might be limited to the typical malware for your peripherals like usb sticks, that go under the normal av detection radar, this will make the evaluation of what is being found even more difficult,

polonus
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on September 14, 2012, 02:53:33 PM
Unfortunately for me it turned my bootable USB into an unbootable USB.
I've removed it some time ago. I needed protection from the bad guys.
I didn't expect the good guys to attack my bootable USB.  :(
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: polonus on September 14, 2012, 03:30:43 PM
Hi bob3160,

You can restore it on that USB using bootsect command, re: http://technet.microsoft.com/en-us/library/cc749177(v=ws.10).aspx
see: http://www.maximumpc.com/article/howtos/how_to_install_windows_7_beta_a_usb_key

polonus
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Pondus on September 14, 2012, 03:37:06 PM
Unfortunately for me it turned my bootable USB into an unbootable USB.
I've removed it some time ago. I needed protection from the bad guys.
I didn't expect the good guys to attack my bootable USB.  :(
as we do with avast .....also send the info to MCShield support so they can fix the issue
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on September 14, 2012, 03:39:06 PM
Unfortunately for me it turned my bootable USB into an unbootable USB.
I've removed it some time ago. I needed protection from the bad guys.
I didn't expect the good guys to attack my bootable USB.  :(
as we do with avast .....also send the info to MCShield support so they can fix the issue
I did that in the beginning of this topic. :)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: George Yves on September 14, 2012, 05:16:15 PM
As you know, MCShield refused to work on my Vista notebook because of constant program's crashes. Lately I tried MX One Antivirus but I had to remove it either. The real-time shield is working OK but again I get pop-ups: now they say the program's antivirus engine was stopped.

I think this separate "2nd layer protection for USB drives" isn't a protection at all. There must be only one antivirus and it is Avast for me. And I believe that we need only one thing - to realize that suggestion (http://forum.avast.com/index.php?topic=104401.msg837490#msg837490) by Andrey,pro.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on September 14, 2012, 05:35:23 PM
+1
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: polonus on September 14, 2012, 05:36:59 PM
Hi George Yves,

So I turned the program off and closed in exit. So try it only when I use peripherals, just to be sure there are no conflicts with my resident av solution, that is avast. The more like conflicts between programs are not much discussed about, but they exist. Strange changes to SpywareBlaster after users installed MBAM,
the sudden reapearance of the Skype toolbar after it had been disabled in IE. I agree with you a boot repair is too big an incident from a solution that is no longer beta, it should not happen,

polonus
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: argus on September 16, 2012, 07:56:18 PM
Today the scanned USB sticks.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: dr_Bora on September 16, 2012, 10:00:27 PM
Hi adotd,

As with all solutions that have to prove themselves, we will keep a scrutinous eye on this one. Might be it gives this second layer of additional protection others do not have, and that is a valuable asset. You know however going on full heuristics does also mean you are meant to meet the next false positive. So there always should be a mix of detection methods involved. Also what I miss is user interaction when some issue has been detected. At least a hash look-up or an indication of the malware type and subtype, so the user might explore what it is all about what is being flagged. There is a might of difference between finding up some packer heuristics for riskware and a highly dangerous file infector of some sort. But as the protection range of this av might be limited to the typical malware for your peripherals like usb sticks, that go under the normal av detection radar, this will make the evaluation of what is being found even more difficult,

polonus

Important thing to note is that MCShield's heuristics are not what you're used to see in an average antivirus. When I say heuristics, I do not talk about detections based on compilers, exe compressors, partial signatures, etc. like in the case of an AV, but I'm talking about recognizing "static behavior" (basically, what the files and the folders on a flash drive "look like"). So, the program tries to recognize malware by analyzing the file system; files and folders - their characteristics and relations to other files and folders on the drive. These analyses are based on algorithms designed to be "triggered" by a "behavior" (what they do on a flash drive in the process of infection) of different worm families using various methods to initiate the infection (autorun functionality, exploits or simply tricks to make the user to run malware).

When it comes to FPs, most are made in the part of the code that analyses autorun files and these are almost always "rename FPs" (meaning: the file is not known as a good one, so, to be on the safe side, it's renamed).
Why is this routine making more FPs than all other (and there are 13 more)? Simply because it goes by the rule: autorun.inf and the related files are bad unless proven to be legit.
Is this the right approach? Well, there are millions of worms using autorun and there's, let's say, a few hundred legit programs that do the same.
This seems like a simple choice to me. I might be wrong, but I'll rather take the blame for renaming a legit file than let a peace of malware slip through.
All other detection routines shouldn't really be triggered by users files/folders. This can happen (people do "stuff"  :)), but it's not that common.

polonus mentioned that it's not easy to test this kind of software; I agree.
I'm quite certain there are parts of the code in the scanner that have never been triggered on users' computers in these 2.5 years.
Basically, what you guys have seen so far is just one small part of MCShield's possibilities. AntiAutorun, AntiLNK, three AntiReplicator routines, AntiRimecud, two AntiMimics, known bad file/folder names, hashes, AntiEsfury (folder name heur.), general/blended file heuristics (files are checked in 6 ways)...

What I'm trying to say: to test MCS, one needs to take a large flash drive containing a bunch of files and folders (hundreds or thousands) and then connect the drive to PCs infected with various worm families. Simply put: the more malware you get in there, the bettter detection you'll get. Why? MCS uses, in most of it's routines, adaptive scanning. A lot of different malware shall trigger more detection code; different parts of this code overlap, meaning that on a heavilly infected drive, one same malicious file might be caught several times (so it won't get undetected that easily).

A good example is the log argus posted. All malicious files on both drives are identical. On the first drive, malware was just renamed.
On the other drive, malware was detected by at least two detection routines and got deleted.
As I said, the more, the merrier.  ;D


SpeedyPC asked: do I need this? Well, let's put it this way: MCS is going to try to remove malware (files and folders), restore the attributes of your folders in case it suspects they are hidden by malware, and also try to recover (rename, unhide) your files (some worms also mess with users files, not just folders; they can be either renamed and hidden or simply deleted). If you know how malware works/infects and you have time to spare (I've seen logs with thousands of treated items - this could take a while to fix), all this can be done manually (assuming that you're fully patched and everything that needs to be, is disabled).
If the question is: "I have an AV, does it need help?" - than: oh, yes, your AV needs help. Be it some powerful HIPS so you can do the cleanup manually (without getting infected), or some programs like the one I'm trying to "sell" you. :)

Compatibility? MCS can work alongside any AV. It doesn't use any drivers or services and it does not protect itself - it is the AV that can cause trouble to MCS (block it while working), but even this won't cause any real trouble.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Pondus on September 16, 2012, 10:10:41 PM
@dr_Bora
question ....are you swedish ?
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on September 16, 2012, 10:31:34 PM
Until now, I've got two usb sticks that triggered MCShield. Although both are false positives, they were really suspicious. One with a program manufacturer that try to backup things on my computer, and other executables (not setup files).
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: dr_Bora on September 16, 2012, 10:43:29 PM
Pondus, nej, inte riktigt.  :)
I've moved to Sweden a few years ago from Serbia.

Tech, if detections are still present, I would appreciate MD5s of those files so I can add them to whitelist (I've whitelisted a few files in the last couple of days, could be that they are already fixed).
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Pondus on September 16, 2012, 10:45:13 PM
Quote
Pondus, nej, inte riktigt. 
I've moved to Sweden a few years ago from Serbia.
OK ...da er vi naboer  ;)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on September 16, 2012, 11:31:09 PM
Tech, if detections are still present, I would appreciate MD5s of those files so I can add them to whitelist (I've whitelisted a few files in the last couple of days, could be that they are already fixed).
Sorry, I've formated the disk in that occasion as I did not have time to deal with my friend's usb drive.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on November 15, 2012, 01:36:43 PM
Is anybody else receiving this error of MCShield on Windows 8 (x64)?
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on November 15, 2012, 07:15:41 PM
Is anybody else receiving this error of MCShield on Windows 8 (x64)?

Your error has just reported to dr_Bora.  ;)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on November 15, 2012, 07:22:03 PM
Tech, when exactly this error occurs?
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: dr_Bora on November 15, 2012, 07:34:11 PM
Tech, it seems the database is damaged. Run an update and try to scan some drive.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on November 15, 2012, 09:46:06 PM
Tech, when exactly this error occurs?
Each boot.

Tech, it seems the database is damaged. Run an update and try to scan some drive.
There is no update for me...

You have the latest program version
You have the latest database version
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Charyb-0 on November 15, 2012, 10:23:31 PM
dr_bora,
You have your own website and forum. Instead of using avast's forum for advertising and troubleshooting your buggy program, why not use your own?
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on November 15, 2012, 10:36:34 PM
dr_bora,
You have your own website and forum. Instead of using avast's forum for advertising and troubleshooting your buggy program, why not use your own?
I've started the question. He is just helping me in the General Forum. I cannot see anything "illegal" on this.
About a "buggy program", well, I'm receiving support and it is working :)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: dr_Bora on November 15, 2012, 11:12:28 PM
The part of the code that's crashing is used to check the database (to verify that all the sections are in there). What happens is that the program noticed that the end of file marker is missing (damaged file?) and it tries to write a note in the logfile but it fails to do that because I forgot to open the log file first.  ;D
So, there's a bug, but it's in fact pointing to another issue. New database should fix that. The current (uploaded just before I wrote my previous post) is v2012.11.15.1. It is possible that the program auto updated in the meanwhile.
Anyway, didn't really understand if the issue is fixed or not; you can check that by connecting some flash drive (if it occurs on boot, it should also happen when a drive is connected).
If it's still happening, please mail me your MCSDB.bin (Start > search: %AllUsersProfile%\MCShield ). The e-mail address is on the about tab.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: schmidthouse on November 15, 2012, 11:23:59 PM
I've been following the info provided about MCShield from MyCity folks
It's useful as I run it in combination with Avast products :) 8)

Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on November 15, 2012, 11:42:51 PM
For me it unfortunately has only destroyed a bootable Windows 8 usb.  :'(
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: ky331 on November 25, 2012, 04:37:47 AM
For Dr. Bora,

I just tested your program.

As soon as the program opened and started to run --- before I could adjust any of its settings --- it found and deleted two files from my Lenovo RECOVERY PARTITION (Hard Drive):

11/24/2012 8:41:27 PM > Drive Q: - scan started (Lenovo_Recovery ~14 GB, NTFS HDD )...

>>> Q:\autorun.inf > Suspicious > Renamed.

>>> Q:\autorun.inf.vir - Malware > Deleted. (12.11.24. 20.41 autorun.inf.vir.372601; MD5: 492cf5b9300a6105893b8dd40031a141)

>>> Q:\LenovoQDrive.exe - Malware > Deleted. (12.11.24. 20.41 LenovoQDrive.exe.289741; MD5: 84d2d80e141e3e79aa0725e293ec83dc)


=> Malicious files   : 2/2 deleted.

==========================

I was taken aback --- especially when I looked into the program's quarantine area, and it "appeared" empty.   Fortunately, despite anxiety, I didn't completely panic.   I was able to locate the actual quarantine folder (in Windows Explorer and/or via the Command Prompt) and determined the files WERE present --- as HIDDEN+SYSTEM files.   By removing the hidden+system attributes, I was then able to "see" these files under McShield's Quarantine tab, and so was finally able to RESTORE them [hopefully correctly] to the Lenovo Q:\ Recovery Drive.

I would NOT want anyone else to experience this!

Question:   Does McShield maintain the file attributes as they were in the original location?   That is to say, should I make these two files HIDDEN+SYSTEM on my Q: drive after having restored them?
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: dr_Bora on November 25, 2012, 10:33:45 AM
1. The files are whitelisted, detection should not occur again.

2. The items not showing in quarantine despite being there: obviously, a bug that needs to be fixed.

3. The files were hidden, you can hide them again if you wish.

I hope you understand the data in your recovery partition was not damaged in any way (infact, that's not even a recovery partition, it's a backup partition). The program LenovoQDrive.exe is used to create recovery media and to delete the contents of that partition ("Lenovo has provided a copy of the original factory preloaded software in this partition. For convenience, this utility allows you to recover this space once you have made a copy of this software to DVD. We strongly recommend that you make a copy using the Create recovery media utility in the Windows start menu or by selecting the option below..." - so, if you have a recovery DVD, you can delete everything on that partition and free HDD space.).
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: ky331 on November 25, 2012, 04:06:07 PM
Dr. Bora,

Thank you for your prompt reply.

The opening sentence of your program's documentation states: 
http://amf.mycity.rs/mcshield/Doc/MCShield_Help_EN.pdf
"MCShield is an antimalware tool designed to prevent infections transmitted via removable drives (USB flash drives, memory cards..., external hard drives)".   Granted, later on (page 3) it notes the option to "enable initial scan of all hard drives" --- without explicitly stating whether these are only the external ones, as cited above, or the internal ones as well... apparently, based on my experience, the latter case is what occurs.   Since this option was pre-checked, the internal hard drives are scanned immediately, as soon as the program runs for the first time.

My interest in testing MCShield was for its removable drive protection (to supplement an anti-virus program).   I assume that's the case for most people trying it.  So my first question is whether MCShield should even be considering internal hard drives at all?    And secondly, why is the hard-drive option pre-selected by default [on the initial run of the program]?  I can imagine a less-experienced user panicking when s/he sees some files "deleted" from their main hard drive... and in a worst-case scenario, finding out their system doesn't boot-up again. 

Isn't renaming of the suspicious/malware files [in-place, on their drives] sufficient to stop the malware from executing as intended?   Is it really necessary to also quarantine it?   Perhaps you might consider having your program distinguish between internal drives and removable drives, limiting the impact on internal drives solely to renaming???

1. "The files are whitelisted, detection should not occur again".   Thank you!   I had also added them to MY whitelist tab --- before seeing this response.   (I doubt "double-whitelisting" can hurt anything.)

2. "The items not showing in quarantine despite being there: obviously, a bug that needs to be fixed".  I would consider this a very significant "bug"... I'm surprised that no one else (??) had reported it previously.  By the way, the same thing [no files appearing under the quarantine tab] happened on another system (Dell PC, USB drive).   This can be very scary to just about any user, no matter how experienced they might be.

3. "the data in your recovery partition was not damaged in any way... "  Thank you very much for this reassurance.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on November 25, 2012, 04:24:36 PM
The first rule should always be "Do no Harm". I haven't found that to be the case and,

for that reason decided to opt out.
I'll wait till this program has become more mature and reliable.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on November 25, 2012, 07:02:21 PM
@bob
Already has been discussed & explained that MCS is a very good & quality tool but has never said that MCS was perfect. Does perfect sotwere exist?
FP unfortunately must happen sometimes but with purpose for future better detection. FP are mainly related for just autorun.inf (...if it comes to FP)
This is the main reason why MCS renames suspicious autoruns to prevent the execution of malicious malware.
If you are able you to make a better tool than MCS is, than be assured that I will use your tool, and recommend to others.  :D

Let's forget MCS for a moment. Every better leading protection software once in his life (or more than once ) they have so heavy FP that some of tham leads to system crash.
Does this mean that such FP detection will not occur anymore? Does this mean that they are all products of bad?
No and No.
Most of them are still the best software for malware protections...

MCS has been active for just about ~ two years. Developers don't earn by developing MCS nor they have some kind of income. They all working on voluntary basis, and they using they free time do develop MCS.
Another important fact is that the authors of MCS program are malware removal experts who have been in this "business" long before me.
From this facts, authors know how malware works, and how best to prevent the same from execution.

From what I written above ...  if you're not willing to "help" in developing, than at least you can do is to admit they hard work.
Not just belittling some hard work.

Please, don't get me wrong, and don't take my post to critical but I had to answer you.  ;D
If you dont like it, just dont use it.  :)

Best regards bob,
magna
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on November 25, 2012, 07:07:09 PM
I didn't belittle simply listed my reasons for no longer using the product.
I praise things I like not things that give me problems.

Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on November 25, 2012, 07:09:28 PM
The first rule should always be "Do no Harm".
Dr. Bora, I feel the same. User must be warned (at least it should have a setting for that).
Automatically quarantine and false positives is a bad user experience...
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on November 25, 2012, 07:12:04 PM
Since this option was pre-checked, the internal hard drives are scanned immediately, as soon as the program runs for the first time.
Hmmm... Maybe it should detect if it is a fixed drive or a removable one and not by the letter only...
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: iroc9555 on November 25, 2012, 09:30:54 PM
My interest in testing MCShield was for its removable drive protection (to supplement an anti-virus program).   I assume that's the case for most people trying it.  So my first question is whether MCShield should even be considering internal hard drives at all?    And secondly, why is the hard-drive option pre-selected by default [on the initial run of the program]?  I can imagine a less-experienced user panicking when s/he sees some files "deleted" from their main hard drive... and in a worst-case scenario, finding out their system doesn't boot-up again. 

+1


Dr. Bora, I feel the same. User must be warned (at least it should have a setting for that).
Automatically quarantine and false positives is a bad user experience...

+1 too Feel the same. MCShield needs some kind of alert before automatically rename/quarentine anything.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: dr_Bora on November 25, 2012, 09:35:32 PM
Regarding the hard drives treatment... There is no way for me to know if a drive is indeed internal fixed drive or external / removable (in some way) hard drive.
A HDD can be assembled inside the PC case and tighten with screws. The same drive can be in some kind of a HDD rack. The same drive can be connected via some kind of cable/adapter. You can also have a HDD that connects only via USB. All these are considered to be hard disk drives and Windows treats them in the same way; so does MCS.

So, I can choose between scanning hard drives or not scanning hard drives. Why was the first option chosen?
Let's take the example of ky331's hard drive: in this case, the program made a FP. Sure, that's bad. The program sucks. Right?

Now, let's say that ky331 took that hard drive and connected it to his neighbour's PC to transfer some files. Let's also say that the other guy's PC in infected with Win32.Sality file infector. This does not necessarily mean that ky331's files are infected, but what it does mean is that the virus has placed his dropper (a worm component) to the root of the hard drive's partitions.

The hard drive is reconnected back to the originating PC and the PC is turned on. MCS starts the initial scan and removes the malware dropper and prevents infection with Sality. Is this still bad? Does the program still suck?

What I'm trying to say is that there's a good reason why MCS performs a quick scan of the root of the HDD partitions.

The initial scan is performed every time the program is started; that's why the scan happens directly after installation. What I could do here is to make the setup ask the user whether to perform the scan immediately or not (if it's considered desirable). Can't really think of anything else I could change regarding this (HDD scan could be unchecked by default, but this doesn't sound like a good idea).



As I explained on previous pages, there's no time to ask about some things, they simply need to be done immediately and implementing any kind of "ask the user" option is not that easy. I do have an idea of an approach that could be of interest to advanced users, but it's still in the "thinking about it" phase so I don't want to make any promises (when I have a working build I'll let you test it and give opinions whether that's what you want before full implementation (GUI changes, translations, etc.)).
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Pondus on November 25, 2012, 10:04:49 PM
I didn't belittle simply listed my reasons for no longer using the product.
I praise things I like not things that give me problems.
well....there are some that have problems with avast also...
and i remeber a big FP case that turned this forum upside down and inside out for a week or so



magna86
Quote
Another important fact is that the authors of MCS program are malware removal experts who have been in this "business" long before me.
From this facts, authors know how malware works, and how best to prevent the same from execution.
+1 ..... yepp, thats why it is best to leave this to those who know this stuff best

Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on November 26, 2012, 12:36:52 AM
there's no time to ask about some things, they simply need to be done immediately and implementing any kind of "ask the user" option is not that easy.
Well, I think we're talking about drivers and a service... aren't we?
The automatic send to quarantine could be configured in an antivirus this way, blocking/freezing the actions of the file. Would be this a conflict with running antivirus and MCShield?

At least, if a file is moved, the user cannot have the possibility of NOT seeing the alert window/report. Right now, the user could disable this and won't even know that MCShield have moved a file...
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Pondus on November 26, 2012, 01:04:47 AM
Quote
Right now, the user could disable this and won't even know that MCShield have moved a file...
there is a log   ;)

all programs > MCShield > log
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: ky331 on November 26, 2012, 01:33:35 AM
Dr. Bora,

I hope you're not taking my comments... and what I intended as suggestions... the wrong way.   I never said your program "sucked" (to use the word you invoked in your recent reply).   I understand FP's are a part of anti-virus / anti-malware "life", especially when it comes to heuristic detections, and that this will never change.   I accept that.

Indeed, I am still keeping and continuing to test your program on 3 systems.   If I didn't believe in its potential/value, I would have immediately removed it from them all.

I offered a suggestion about distinguishing between internal and external hard drives... and you've explained that this is not feasible.

I questioned whether detections on hard drives should be pre-selected by default... or even at all... and you've offered your expert analysis as to why this should be the case.

But there was a third suggestion that I don't believe you've responded to yet... and so I would like to ask again:   Isn't renaming of the suspicious/malware files [in-place, on their drives] sufficient to stop the malware from executing as intended?   Is it really necessary to also quarantine it?   I am now asking this question in general, be it for hard drives (internal or external) or for any other removable media such as USBs?   Unless your contention is that renaming is insufficient to stop the malware's action, I believe renaming would be more transparent to users, and easier for them to "fix" in the event of a F/P.   

If nothing else, I believe my reporting the "hiding" of files from your quarantine --- which you acknowledged as a "bug" --- is an important, concrete improvement that I expect you will be implementing at your earliest convenience.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on November 26, 2012, 12:36:03 PM
Quote
Right now, the user could disable this and won't even know that MCShield have moved a file...
there is a log   ;)

all programs > MCShield > log
Log? Will an user look for a log? It should be a visible warning...
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: dr_Bora on November 27, 2012, 12:13:49 AM
ky331, I'm not taking your (and not just yours) comments the wrong way. Almost 3 years ago, MCS consisted of one exe file, it was without the GUI, there were no settings and you couldn't even close the program (the scanner worked completely silently in the background).
Thanks to suggestions/bug reports/feature requests... like yours, it evolved to it's current form. I'm always grateful for any feedback (as long as it's not intentionally malicious and without any ground in reality and personal experience with the program).

Will rename do the job? Sure, it would do, but using this as default and only action would force the users to manually clean the drive after the scan.
So, it comes to balancing between ease of use in different situations (and proper detections are, of course, much more common than mistakes). It would be possible to have an option like "never delete, just rename". Basically, quite easy to implement in the scanner, the hardest part is finding the place in the GUI for another option and updating translations and documentation.

The quarantine issue: I've been running the fixed dll since yesterday. As soon as I've tested enough to feel confident about proper functionality, update will be released (ETA: 1-3 days).

Quote
Well, I think we're talking about drivers and a service... aren't we?

That's one approach, but we're not going there, because going there means possible driver conflicts with other security software (and I've promised a long time ago that MCS shall never cause a BSOD or OS crash - it's there to help the AV, not to make a mess).

As I mentioned, I have an idea how I could implement a certain degree of user interaction. So, some stuff needs to be done fast and I can't ask, but... I can perform the action, and then ask: if the user says no, then I can reverse the action. Other things can be directly decided by users. Could be a "bit" tricky to implement this (wasn't really planned), but I'll try.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on November 27, 2012, 02:07:59 PM
A rollback function will be quite useful.
If it is simple and userfriendly, it can solve the issue.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: schmidthouse on November 27, 2012, 05:41:36 PM
I have been running MCS on my XP since awhile now.
I now also run Windows8 64Bit and am considering the install on this OS.
After reviewing the information in previous posts and the move to rectify I will wait until then. :)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on November 27, 2012, 06:33:24 PM
I now also run Windows8 64Bit and am considering the install on this OS.
I'm using at W8 x64.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: schmidthouse on November 27, 2012, 06:43:10 PM
I now also run Windows8 64Bit and am considering the install on this OS.
I'm using at W8 x64.

Hi Tech:Ah yes. I was just wondering about the 'quarantine/warning' update referred too.
Maybe I misunderstood the posts. 8)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on November 27, 2012, 06:59:10 PM
I now also run Windows8 64Bit and am considering the install on this OS.
I'm using at W8 x64.

Hi Tech:Ah yes. I was just wondering about the 'quarantine/warning' update referred too.
Maybe I misunderstood the posts. 8)
No, no misunderstandings. I'm just corroborating with your posts.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: schmidthouse on November 27, 2012, 07:05:51 PM
I now also run Windows8 64Bit and am considering the install on this OS.
I'm using at W8 x64.

Hi Tech:Ah yes. I was just wondering about the 'quarantine/warning' update referred too.
Maybe I misunderstood the posts. 8)
No, no misunderstandings. I'm just corroborating with your posts.

No worries ;)
I'm understanding they are working on a 'fix/update' so as to address "no harm first" premise. :)
 
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on November 27, 2012, 07:43:44 PM
I now also run Windows8 64Bit and am considering the install on this OS.
I'm using at W8 x64.

Hi Tech:Ah yes. I was just wondering about the 'quarantine/warning' update referred too.
Maybe I misunderstood the posts. 8)
No, no misunderstandings. I'm just corroborating with your posts.

No worries ;)
I'm understanding they are working on a 'fix/update' so as to address "no harm first" premise. :)
That's what I'm waiting for. :)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: schmidthouse on November 30, 2012, 12:48:55 AM
Just received an Auto Update of MCS to version 2.3.3.17
Is this the update talked about in Post #120  (Update in 1-3days)? ???
Thanks,  8)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on November 30, 2012, 12:19:52 PM
Just received an Auto Update of MCS to version 2.3.3.17
Is this the update talked about in Post #120  (Update in 1-3days)? ???
Thanks,  8)
:D

http://forum.avast.com/index.php?topic=9671.msg869094#msg869094
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: ky331 on November 30, 2012, 03:54:45 PM
I see you have released a new version, 2.3.3.17, which is supposed to take care of the "hidden" files in quarantine.   Thank you.

I just came across an interesting article:   Can we take for granted your program will protect us from the likes of what is being discussed here:   http://nakedsecurity.sophos.com/2012/11/30/w32vbna-x-spreads-quickly-through-networks-and-removable-media/
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: schmidthouse on November 30, 2012, 07:43:44 PM
Thanks. ;) :)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: dr_Bora on November 30, 2012, 09:17:06 PM
ky331, thanks for reporting the problem.

Malware described on that link? A "blended behavior" worm; exploits autorun, replicates, mimics user's folders, uses tricks to lure the user into running it...
Normally, this is bad because of many ways an infection can occur, but if we're talking MCS, it's good: the worm would trigger several detection routines (in my belief; more than enough).
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: ky331 on December 16, 2012, 02:09:43 PM
v 2.4.3.18: 16th December 2012.

- implemented a new generic detection routine (for more precise detection/remediation of Trojan:VBS/Autorun.B (MS));
- added Persian language (thanks to translator Seyed Ehsan Hadi).
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on December 16, 2012, 07:06:40 PM
Is it a bug when I've set "not warn about updates" and each boot a panel is shown that there is no updates? :'(
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: dr_Bora on December 16, 2012, 10:26:44 PM
"Notify when new database is installed" doesn't control that first notification. Currently, there's no option that does.
And yes, I know there should be. :) It was planned a while a go, but we never got to it.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on December 17, 2012, 12:29:05 AM
Thanks.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on February 10, 2013, 03:30:43 PM

Hi guys  :D

http://forum.avast.com/index.php?topic=9671.msg893596#msg893596

Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on February 10, 2013, 03:49:19 PM
Believe or not...
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: ky331 on February 10, 2013, 03:57:24 PM
I just downloaded/installed the latest MCshield version, without any warning message from avast.   Perhaps they've updated the database?   (I'm at 13-02-10-0)

I am especially pleased about MCshield's new option for interactive mode:
- added new option in Control Center (on Scanner tab: Interactive mode -- for users who wish to have more control);
- implemented interactive removal mode (for most actions: the user is asked about actions being taken);

I believe this should fully address my earlier concerns about any "aggressiveness" in the program's automated actions.   I would like to thank Dr. Bora for his continuing assistance here  :)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: DavidR on February 10, 2013, 04:14:15 PM
Believe or not...

Is this not connected to your other topic and issue with Evo-gen detections.

I too have connected and downloaded the file without alert and ashQuick.exe scan finds nothing.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: ky331 on February 10, 2013, 05:40:50 PM
MCshield v 2.5.4.20: 10th February 2013 [SECOND program update today!]
 
- fixed a bug related to autoupdate (if database notifications are off, the new setup would not be started after download).
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on February 10, 2013, 06:26:09 PM
@Tech
I (we) don't have that detection.  :-\ My current avast database 130210-0 and I have no detection.

@ky331
Yeah, it is one more update. You were faster than me... ;D
Downloading via autoupdate or via official MCShiled site.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: dr_Bora on February 10, 2013, 08:51:26 PM
Hello...  :)

Yes, we had to release another update. Previously, when a new program version was available, it would be downloaded to Desktop and user was expected to start the installation.
As it appears, that was not really clear to some users so we made a change: now, the new installer shall be downloaded to temporary folder and automatically started. And yes, a bug slipped through. In case the user disabled notifications about a new database being installed, the setup would not run automatically.
This was fixed in v2.5.4.20.

Interactive mode has been implemented. Although functional, this feature, just like every new feature, will be improved over time (both logic and appearance vise). I believe it should do for now. When in interactive mode, the user will be asked about autorun items (at the beginning of the scan) and later at the end of the scan, about rest of the items. The user will be asked about all deletions and most of renames and unhides.
Why "most of"? Well, there are situations when a program needs to do things to either protect the PC or to protect the files on a drive from the program itself (it's heuristics). I'm not talking normal scans and general heuristics; I'm talking about very specific malware that would need to be treated in a certain way.
One example would be a situation where program renames/unhides files that it considers legitimate without asking the user first.
As noted, these renames and unhides are rather rare and routines performing them are quite accurate, so this should not be an issue, but, as already said, this will be worked on.

Another important feature, the one that should significantly decrease number of false detections (especially those autorun related), is digital signature checking and automatic whitelisting in case a file is signed by a trusted vendor (the list of trusted signers is included in the database and will develop over time from the current few hundred signers).

The documentation on the website is not updated (it will take a week or two), but I think it should be quite clear how to use interactive mode.
You have Yes and No buttons; if not sure, use Details (and info/options available there). If still not sure; click Automatic to switch to automatic removal mode.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on April 02, 2013, 07:34:33 PM
Hi,

We would like to inform you that MCShield have new domain now.

http://www.mcshield.net/

Clicking to the old site (link) or old MCS download link you will be redirected to the new domain so you don't even know the difference.   :D



Cheers,
magna


Title: Re: 2nd layer protection for USB drives: MCShield
Post by: ky331 on April 12, 2013, 09:09:20 PM
v 2.6.3.21: 12th April 2013.

- updated all components to work with our new domain (www.mcshield.net);
- added detection for another variant of replicating worms;
- updated/improved detection/remediation of Win32.Gamarue;
- added Russian language (thanks to translator Covaliov Andrei Genadie).
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: ky331 on April 17, 2013, 01:17:45 PM
Avast (definitions 13-04-17-0) is having an issue with MCShield (2.6.3.21) today...

Avast's file shield is objecting to MCShieldDS.exe, alleging it is "suspicious" - Win32:Evo-gen [Susp]
This occurred both when McShield was trying to load at bootup, as well as each time I plug-in a flash drive.
Yet, when I ask avast to scan the file, it reports that the file is clean!  (How can it have it both ways?)

for what it's worth, here's a link to Virus Total's analysis, several of which have "generic" Trojan issues with this file https://www.virustotal.com/en/file/6cfcf9d73bc70ad8b1e064cd71efe5974fe95003646ec516767a5b002a804ff3/analysis/1366195390/

EDIT:   I see an earlier mention of Evo-gen above, on this page.   I have been using MCShield for months now, and never had this detection until this morning.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on April 17, 2013, 02:28:36 PM
Thank you ky331 for information.  :)

We will report this FP again and I hope avast detections will be removed soon.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: ky331 on April 17, 2013, 03:28:42 PM
(Not that it's relevant to avast, but) If anyone is reporting this to MCShield, I received a similar objection on another PC, this time from Panda Cloud Antivirus... [don't have the details offhand, I think it may have been detected as a PUP]
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: schmidthouse on April 17, 2013, 05:28:01 PM
Nothing yet as I just received this warning when executing MCShield on my Laptop/Win8 64Bit.   ???

Edit: Went to re-execute MC and received MC warning "Instillation is corrupt, Re-install"
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: ky331 on April 17, 2013, 11:26:34 PM
The F/P appears to have been fixed in definitions 13-04-17-1
(or perhaps via streaming update received by 5:12 PM [USA - Eastern Daylight Saving Time])
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: iroc9555 on April 18, 2013, 01:54:12 AM
Hi David.

Yeap ! VPS 130417-1 was just to fix F/P and alerts.

http://www.avast.com/virus-update-history

Regards.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: ky331 on July 08, 2013, 09:30:19 PM
MCShield v 2.7.3.22:

(8th July 2013)

- improved detection/remediation of all variants of Win32.Gamarue;
- added heuristics for another family of worms (Dunihi.A and similar);
- added Turkish language (thanks to translator Mahsum ÅžEN);
- several changes in the log formatting and details.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on July 08, 2013, 10:06:04 PM
MCShield v 2.7.3.22:

(8th July 2013)

- improved detection/remediation of all variants of Win32.Gamarue;
- added heuristics for another family of worms (Dunihi.A and similar);
- added Turkish language (thanks to translator Mahsum ÅžEN);
- several changes in the log formatting and details.
Already posted where all update notification are posted :)
http://forum.avast.com/index.php?topic=9671.msg962137#msg962137 (http://forum.avast.com/index.php?topic=9671.msg962137#msg962137)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Charyb-0 on July 09, 2013, 01:28:50 AM
If a person is using avast, what reason is there for using MCShield? I realize I am going to read something regarding layers but there can be problems with too many layers and overkill.

If I use only avast, am I protected or not?
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: iroc9555 on July 09, 2013, 01:43:17 AM
You have to run whatever is in the flashcard for Avast! to analize. MCShield scan automatically whatever you connect to your machine in seconds.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: argus on July 09, 2013, 08:43:26 AM
Antivirus programs are generally poorly cope with worms. If there are worms in the definitions, Antivirus will prevent infection, but if it not, mama mia  ;D
MCShield not have a definition in its database, the worm will be deleted.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Pondus on July 09, 2013, 09:50:50 AM
If a person is using avast, what reason is there for using MCShield? I realize I am going to read something regarding layers but there can be problems with too many layers and overkill.

If I use only avast, am I protected or not?
if you browse this topic....
and read the posts from argus / magna86 / dr_Bora    then they have explained it in detail as you are not the first one to ask.  :)

Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Charyb-0 on July 09, 2013, 03:51:11 PM
The reason I asked is because I don't want to read through 11 pages of information that may or may not give me the answer I am wanting. I have better things to do.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Pondus on July 09, 2013, 04:05:35 PM
Quote
I have better things to do.
naaaa..... if you did you would not have 1454 posts here.   ;D

Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on July 09, 2013, 07:08:39 PM
Hi,

If a person is using avast, what reason is there for using MCShield? I realize I am going to read something regarding layers but there can be problems with too many layers and overkill.

If I use only avast, am I protected or not?

[ ... ]

The reason I asked is because I don't want to read through 11 pages of information that may or may not give me the answer I am wanting. I have better things to do.


MCShield isn't AntiVirus and it never will be.
Having that in mind + considering that I was talking about this recently (me vs Aventador) + everything already has been discussed & explained here ... really don't have nothing to add. If anyone bothered to read-through this topic just because it has better things to do, then I certainly have better things to do than re-writing all over again what has already been discussed. + English is not my first language. MCS is freeware and no one's forcing you to use it if you don't want to.


Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on July 09, 2013, 07:14:27 PM
Hi,

If a person is using avast, what reason is there for using MCShield? I realize I am going to read something regarding layers but there can be problems with too many layers and overkill.

If I use only avast, am I protected or not?

[ ... ]

The reason I asked is because I don't want to read through 11 pages of information that may or may not give me the answer I am wanting. I have better things to do.


MCShield isn't AntiVirus and it never will be.
Having that in mind + considering that I was talking about this recently + everything already has been discussed & explained here ... really don't have nothing to add.
If anyone bothered to read-through this topic just because it has better things to do, then I certainly have better things to do re-writing all over again what has already been discussed. + English is not my first language. MCS is freeware and no one's forcing you to use it if you don't want to.
It isn't only free but it's also an excellent product that is constantly being improved.
You also only need to read 11 pages if you haven't already been following this thread since it's start. :)


In order for avast to protect files on your usb device, you need to open the file and avast! will scan it.
MCShield scans in very quick fashion the entire USB drive when it's inserted and blocks infections from getting to your computer.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on July 09, 2013, 07:18:36 PM
Thank you Bob for your kind words. We do appreciate. ;)  :D
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: SpeedyPC on July 09, 2013, 07:20:48 PM
Thank you Bob for your kind words. We do appreciate. ;)  :D

OT: Don't forget to buy him an extra large cup of coffee because he doesn't drink beer cause I remember he said that to me twice ;D ;D
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on July 09, 2013, 07:22:39 PM
Thank you Bob for your kind words. We do appreciate. ;) :D
You're welcome. You've earned them with your hard work.
Your product is a great addition to the free version of avast! :)
Not bad to add to the paid versions of avast! either.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Charyb-0 on July 09, 2013, 07:44:13 PM
Hi,

If a person is using avast, what reason is there for using MCShield? I realize I am going to read something regarding layers but there can be problems with too many layers and overkill.

If I use only avast, am I protected or not?

[ ... ]

The reason I asked is because I don't want to read through 11 pages of information that may or may not give me the answer I am wanting. I have better things to do.


MCShield isn't AntiVirus and it never will be.
Having that in mind + considering that I was talking about this recently (me vs Aventador) + everything already has been discussed & explained here ... really don't have nothing to add. If anyone bothered to read-through this topic just because it has better things to do, then I certainly have better things to do than re-writing all over again what has already been discussed. + English is not my first language. MCS is freeware and no one's forcing you to use it if you don't want to.
That's some kind of attitude to have with someone who asked a simple question. As I stated before, I don't have the time to read through 11 pages. I just wanted a simple answer.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Pondus on July 09, 2013, 08:09:50 PM
@Caryb...... he is only saying what you said, he has better thing to do than repeat it all again. 

you dont have to read 11 pages, you browse those pages quick, and just read the replys from argus / magna86 / dr_Bora.   



Quote
If I use only avast, am I protected or not?
if you only wanted an answer to this?....No security program have 100% detection, that is how safe you are


Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Para-Noid on July 09, 2013, 08:16:27 PM
Your product is a great addition to the free version of avast! :)
Not bad to add to the paid versions of avast! either.
+1 Would be a great if avast would automatically scan whenever "any" removable media is inserted.  8)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Charyb-0 on July 09, 2013, 08:30:08 PM
Thanks for the info iroc, argus, and bob. These were the type of answers that I was looking for.

I'm glad to receive a straightforward answer from each of you.


@Pondus, your posts have proven to be 100% useless to me. Thanks anyway though.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Pondus on July 09, 2013, 09:06:15 PM
Quote
@Pondus, your posts have proven to be 100% useless to me. Thanks anyway though.
of course, since you did not do as suggested. but if you dont have time.....you dont have time
 you find the info in there, if and when you find time to read it


Title: Re: 2nd layer protection for USB drives: MCShield
Post by: iroc9555 on July 09, 2013, 11:52:45 PM
Thanks for the info iroc, argus, and bob. These were the type of answers that I was looking for.

You are welcome.

Besides posts from dr_Bora, Argus, and Magna, explaining how it works, Ky331 posts have been very informative too.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: argus on July 14, 2013, 10:40:22 AM
MCShield 2.7.3.22

 - improved detection/removal of all Win32.Gamarue variants;
 - added heuristics for the second worms family (Dunihi.A and similar);
 - added Turkish language (credit goes to translator Mahsum ÅžEN);
 - minor changes in the log structure (formatting and details)

Download:

http://www.mcshield.net/downloads.html
http://www.softpedia.com/get/Antivirus/MCShield.shtml
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Aventador on July 14, 2013, 01:54:16 PM
A very good product but it must run in real time. Immunizing your USB device is better and easier alternative without having another resident program running.

http://www.youtube.com/watch?v=8mYK5D-03As
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on July 14, 2013, 03:04:20 PM
Quote
A very good product but it must run in real time.
Thanks. :) But MCShield works in real time only when it detects a USB device. Rest of the time it's just waiting the next USB device ...

Quote
Immunizing your USB device is better and easier alternative without having another resident program running.
I thought I was already explained to you what types of USB Immunizer based_like software actually doing and they just give you a false sense of security.

by dr_Bora:
http://forum.avast.com/index.php?topic=104046.msg835821#msg835821
http://forum.avast.com/index.php?topic=104046.msg841485#msg841485


P.S: character in this video of yours has no idea what he's doing so ...  ;D
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on July 14, 2013, 08:08:12 PM
McShield is excellent when you need to use your partners' or friends' USB drivers like tons of people.
But, anyway, you know that avast! scans the USB sticks as well.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on July 15, 2013, 11:34:40 PM
Time to contact Webutation. I just had to bypass the following:
(http://www.screencast-o-matic.com/screenshots/u/Lh/1373923922891-44578.png)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on July 16, 2013, 12:43:09 AM
Thank you Bob for reporting this.  :)


P.S:  :D

MCShield v 2.7.4.23: 15th July 2013.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on July 16, 2013, 12:47:25 AM
Thank you Bob for reporting this.  :)


P.S:  :D

MCShield v 2.7.4.23: 15th July 2013.
  • improved heuristics for better recognition of legitimate files.
You can't fix what you don't know.
I personally hate those reputation services that strictly depend on (uninformed) user input.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: SpeedyPC on July 16, 2013, 08:40:01 AM
How many of you people that used MCShield and what is your prefer settings to Default or Bulletproof because I would like your current feedback of your prefer setting choice please if you could explain to me why.

I have mind set to Default 8)

Thank you while I'm learning something new about MCShield ;) while I'm explaining some of my clients who want to used MCShield.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: argus on July 16, 2013, 09:12:18 AM
 like this
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: SpeedyPC on July 16, 2013, 09:21:18 AM
@argus can you please explain to me about this you've highlight in the screenshot and why ??????

Thank you while I'm learning something new about MCShield ;) while I'm explaining some of my clients who want to used MCShield.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: argus on July 16, 2013, 09:30:48 AM
Nothing special, who does not like a popup message when booting Windows  :)

In general, the default settings are OK.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: SpeedyPC on July 16, 2013, 09:35:48 AM
Nothing special, who does not like a popup message when booting Windows  :)

In general, the default settings are OK.

Thanks for this argus I really appreciate your help ;)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Pondus on July 16, 2013, 10:52:30 AM
same setting as argus ... default...exept i also tic dont show initial notification, to avoid the pop-up when you turn on the computer
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: SpeedyPC on July 16, 2013, 11:29:34 AM
same setting as argus ... default...exept i also tic dont show initial notification, to avoid the pop-up when you turn on the computer

(http://freeemoticonsandsmileys.com/3D%20Smileys/3D%20Emotion%20Smileys/good.gif) set mind the same as well

PS. You okay Pondus ???
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: iroc9555 on July 16, 2013, 10:23:20 PM
I like my popups ;D

I also like MCS to show me the log and to give me the opportunity to decide if I want to remove what it has found. This is one feature Ky331 and I asked for and MCShield added it so gratefully.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on January 25, 2014, 10:12:16 AM
Hi all,

Good news everyone ...   :D



M C S h i e l d
::Anti-Malware Tool::

(http://www.mycity.rs/imgs3/66097_86912712_MCS-icon.png)



http://www.mcshield.net/

MCShield Database Updater (http://www.mcshield.net/download/MCShield-Database-Updater.exe)


**********************************




v3.0.3.26v3 final:   25th January 2014.

Quote
- completely redesigned user interface with additional features;
- new tab in Control Center: "Status" used to
- - view & change main functions;
- - view system information & main settings;
- new tab in Control Center: "Logs" for easy logfile access and manipulation;
- new tab in Control Center: "MCS Cloud" providing stats and latest news;
- new option "Add Scan with MCShield to drives' menu" in Control Center > General:
- - possibility to start on demand scans via right click menu;
- new option "Visual style" in Control Center > General:
- - possibility to select one of four visual styles;
- new option "Don't scan autorun.inf" in Control Center > Scanner:
- - possibility to completely disable AntiAutorun (processing of autorun files);
- additional heuristics (AntiRep4) for another family of replicating worms (CryptoLocker and similar);
- additional heuristics (AntiScript) for all types of vbscript based worms:
- - on the fly decryption, code format & contents analysis;
- - support for extremely large malicious files;
- improved detection (FME) of worms mimicking legitimate files;
- improved detection (AntiRep3) of several replicating worms;
- added Simplified Chinese language (thanks to translator Anan);
- added Swedish language;
- updated all languages for v3 (except Brasilian Portuguese);
- fixed an issue that caused the MD5 not to be shown for suspicious files in interactive mode;
- improved program initialization time by removing obsolete on-start routines;
- digitally signed all executable components:
- - improving compatibility and ease of use alongside other security software;
- - giving users the possibility to verify the origin and authenticity of the software;
- various other improvements (code stability, graphics, program logic...).


**********************************


(http://www.mycity.rs/thumbs3/66097_tmb_51505339_1.JPG) (http://www.mycity.rs/slika.php?slika=66097_51505339_1.JPG) (http://www.mycity.rs/thumbs3/66097_tmb_73191798_4.JPG) (http://www.mycity.rs/slika.php?slika=66097_73191798_4.JPG) (http://www.mycity.rs/thumbs3/66097_tmb_47953247_5.JPG) (http://www.mycity.rs/slika.php?slika=66097_47953247_5.JPG) (http://www.mycity.rs/thumbs3/66097_tmb_92709612_6.JPG) (http://www.mycity.rs/slika.php?slika=66097_92709612_6.JPG)



Cheers, 
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on January 25, 2014, 04:39:55 PM
Thanks, already updated.
I received my notification this morning. :)
This is one of the nice avast! companions. :)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: schmidthouse on January 25, 2014, 06:55:17 PM
Thanks, nice additions to GUI
On my installation there is a 'mis-alinement' as the last few letters on the right side of each TAB (all the way down) when viewed are missing.
You probably are already aware.  ;)


edit
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on January 25, 2014, 07:50:10 PM
Thank you both for these kind words.  ;)



@schmidthouse
I'm afraid I did not understand you the best. Can you tell me which OS you are using (Win8.1Pro 64Bit? ) and can you please post the ScreenShot of MCS-Control Center?

Title: Re: 2nd layer protection for USB drives: MCShield
Post by: schmidthouse on January 25, 2014, 08:01:35 PM
Thank you both for these kind words.  ;)



@schmidthouse
I'm afraid I did not understand you the best. Can you tell me which OS you are using (Win8.1Pro 64Bit? ) and can you please post the ScreenShot of MCS-Control Center?

Here you go. Look at the end of every option and you can see the last letters missing. :)
Another to come.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: schmidthouse on January 25, 2014, 08:03:54 PM
This ocurrs on every TAB
I hope this makes it clearer. :)

Yes W8.1 64 Bit
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on January 25, 2014, 08:09:45 PM
I see, thanks for SS.

Please just tell me the screen resolution so I can check what may be the problem.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: schmidthouse on January 25, 2014, 08:11:52 PM
I see, thanks for SS.

Please just tell me the screen resolution so I can check what may be the problem.

Off line for awhile but I will reply when I get back
Thanks. ;)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: ky331 on January 25, 2014, 08:23:02 PM
I can confirm the same issue as Schmidthouse on my Win7x64 Pro SP1 system (1600x900 resolution).
In fact, on the Status Screen, I can't see the 3rd line (MCS Cloud) at all!

Ironically, the display is just fine on my 32-bit WinXP Pro SP3 system!
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on January 25, 2014, 08:46:03 PM
Thank you. I will report this ...
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on January 25, 2014, 11:58:14 PM
On my Dell I5 Laptop - Windows 8.1 Pro 64 bit, display is 1600X900
I don't have that problem:
(http://www.screencast-o-matic.com/screenshots/u/Lh/1390690602713-47341.png)


(http://www.screencast-o-matic.com/screenshots/u/Lh/1390690668523-27745.png)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: schmidthouse on January 26, 2014, 12:14:15 AM
I see, thanks for SS.

Please just tell me the screen resolution so I can check what may be the problem.

Just got back

1680x1050  ;)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on January 26, 2014, 02:30:41 PM
Thank you schmidthouse, ky331 and to you Bob, thank you all again. We do appreciate any feedback.  ;)


FYI:
dr_Bora has been reproduced the error. We are working on the problem...
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: ky331 on January 26, 2014, 04:10:27 PM
"dr_Bora has been reproduced the error."

Is there a preliminary conjecture as to what configurations cause the problem? --- what makes it happen on some particular systems but not others?
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: dr_Bora on January 26, 2014, 04:36:31 PM
Hello.
The problem is related to DPI settings on the PC ("size of text and other items").
We're looking into the possibilities... It's not really the simplest one to fix.

Just tell me this: did you guys change the settings yourself or was it done by Windows?
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: ky331 on January 26, 2014, 04:57:45 PM
Looking at my Display setting,  I see it's set for Medium:  125% (which I believe equates to 120 DPI).   It's been so long, but I'd have to say I opted for that myself... my eyes are getting worse, so it's easier to see things when enlarged.

My video driver updated itself automatically about two months ago... I was not happy when it did so without checking with me first... I would NOT have permitted it, had I been asked.

I also accidentally adjusted my Display/Color settings about a month ago... and couldn't figure out how to get back the previous settings... and have settled on an acceptable variation.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: schmidthouse on January 26, 2014, 06:36:17 PM
Hello.
The problem is related to DPI settings on the PC ("size of text and other items").
We're looking into the possibilities... It's not really the simplest one to fix.

Just tell me this: did you guys change the settings yourself or was it done by Windows?

I didn't change any settings that I'm aware of?  ???
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Simion on February 02, 2014, 03:53:17 PM
MCShield v3.0.4.27

Quote
v 3.0.4.27: 2nd February 2014.

- fixed an issue that caused the scanner to crash on certain locked files;
- updated Vietnamese language.

http://www.mcshield.net/
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: juuki on March 12, 2014, 06:31:17 PM
The quarantine and occasional detections that AVs make in there... Yes, I agree that this is not perfect and the other programmer and I discussed the encryption many times, but we never got to making it. You know, real life, jobs and stuff like that. Hopefully, we'll get to it one day.

Is the quarantine safe? Well, malware in that folder can't start by itself. So, unless you go there and start clicking on files you know to be malicious, you won't have any problems.

If MCshield detect any malware and quarantine it, avast detect that quarantine file and delite it.
As encryption havent add to program is there any other way to avoit this "conflict"?
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on March 12, 2014, 06:58:25 PM
Hi juuki,

If MCshield detect any malware and quarantine it, avast detect that quarantine file and delite it.

Just to clarify. Any malware with intent to be transmitted via removable drives.  :)



As encryption havent add to program is there any other way to avoit this "conflict"?

Encryption is added to MCS's Quarantine. Are you sure you have the latest version installed?

Avast shouldn't touch MCS's Quarantine. If "Quarantine" conflict does exists (there is always a possibility for avast to detects malicious files in MCS's Quarantine based on his heuristics check), little can be done I think except to clear the MCS Quarantine folder as I do not see that as a problem. :)


Title: Re: 2nd layer protection for USB drives: MCShield
Post by: juuki on March 12, 2014, 08:19:52 PM

Encryption is added to MCS's Quarantine. Are you sure you have the latest version installed?


I have last version (as you can see in attachment, left is last downloaded version from theit website and right is my installed version).
Encryption is not added to MCS. Have no idea where you get that information.


Avast shouldn't touch MCS's Quarantine. If "Quarantine" conflict does exists (there is always a possibility for avast to detects malicious files in MCS's Quarantine based on his heuristics check), little can be done I think except to clear the MCS Quarantine folder as I do not see that as a problem. :)

Avast scan all changes made so when MCS send file to quarantine Avast also scan that quarantine folder.

In my case i insert USB. MCS detected 4 malware, i delite 3 and 1 is ingored.

Here is log:
Code: [Select]
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.4.27 / DB: 2014.3.10.1 / Windows 7 <<<


12.3.2014. 17:05:17 > Drive F: - scan started (no label ~1960 MB, FAT flash drive )...


>>> F:\AVTORUN\Desktop.ini > ignored (user request). (MD5: f05d6580608901fa2aea2a1e711a8ff4)

> F:\AVTORUN
> F:\AVTORUN\Desktop.ini (MD5: f05d6580608901fa2aea2a1e711a8ff4)
> F:\AVTORUN\slovenec.exe (MD5: eb722f24b9affb0ecaf41cff09d0b241)

>>> F:\AVTORUN - Malware (folder) > Deleted. (14.03.12. 17.07 AVTORUN.45284)

> F:\ZNOJE
> F:\ZNOJE\Desktop.ini (MD5: f05d6580608901fa2aea2a1e711a8ff4)
> F:\ZNOJE\misejaja.exe (MD5: d6f30cf036932f1511c6a66e886a3868)

>>> F:\ZNOJE - Malware (folder) > Deleted. (14.03.12. 17.07 ZNOJE.314628)

> F:\NATASA
> F:\NATASA\Desktop.ini (MD5: f05d6580608901fa2aea2a1e711a8ff4)
> F:\NATASA\pazhin.exe (MD5: d5a130c139ebb1b133916823a065f3b5)

>>> F:\NATASA - Malware (folder) > Deleted. (14.03.12. 17.07 NATASA.118917)

>>> F:\xfl3hx.exe - Suspicious > Renamed. (MD5: 8b1fad2127a9920b4cf2cd6ff9306ce5)


=> Malicious files   : 6/6 deleted.
=> Malicious folders : 3/3 deleted.
=> Suspicious files  : 1/1 renamed.

____________________________________________

::::: Scan duration: 2min 15sec ::::::::::::
____________________________________________

after that Avast automaticly scan MCS quarantine, detect and delite that three malware.

Here is Avast FileSystemShield log:
Code: [Select]
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Wednesday, March 12, 2014 4:20:49 PM
*

12.3.2014. 17:07:22 C:\ProgramData\MCShield\Quarantine\14.03.12. 17.07 AVTORUN.45284\slovenec.exe|>[UPX] [L] Win32:MalOb-IJ [Cryp] (0)
File was successfully moved to chest...
12.3.2014. 17:07:28 C:\ProgramData\MCShield\Quarantine\14.03.12. 17.07 ZNOJE.314628\misejaja.exe [L] Win32:Evo-gen [Susp] (0)
File was successfully moved to chest...
12.3.2014. 17:07:29 C:\ProgramData\MCShield\Quarantine\14.03.12. 17.07 NATASA.118917\pazhin.exe|>[UPX] [L] Win32:MalOb-AI [Cryp] (0)
File was successfully moved to chest...
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on March 12, 2014, 09:38:36 PM
Hi juuki,

Quote
Encryption is not added to MCS. Have no idea where you get that information.
Juuki believe me, I know.  ;D
Encription is added to MCShield Quarantine since version 2 (2.2.3.15) in October 2012.
public info: official site (http://www.mcshield.net/) > changelog


Quote
In my case i insert USB. MCS detected 4 malware, i delite 3 and 1 is ingored.
I understand.

By logs my guess are that MCS has attempt to set and pack the malicious files in his Quarantine but avast! has block that operation. avast! has the routine to scan all new detected USB devices. Conflict may arises when AV (in this case avast!) wants to be the first in scanning, thereby not allowing access to the disk. MCShield attempts to access to disk as well to preform scanning and glitch occurs.

I would recommend as solution to disable that routine to allow MCShield that part of job if you will.  That should be the solution for your problem. Or . . set the MCS's Quarantine folder %path% as an exception in avast!. Quarantine is located in programdata folder.

Code: [Select]
%ProgramData%\MCShield\Quarantine
Anyway, I will preform some additional testing and report to dr_Bora.

Or you can use our contact support form.
http://www.mcshield.net/contactus.html

Thank you for your feedback.

Title: Re: 2nd layer protection for USB drives: MCShield
Post by: juuki on March 13, 2014, 04:36:54 PM
By logs my guess are that MCS has attempt to set and pack the malicious files in his Quarantine but avast! has block that operation. avast! has the routine to scan all new detected USB devices. Conflict may arises when AV (in this case avast!) wants to be the first in scanning, thereby not allowing access to the disk. MCShield attempts to access to disk as well to preform scanning and glitch occurs.

MCS detect and send malicious files in quarantine. After that Avast detect that "new" files in quarantine and delite it or send it to ist quarantine.
Avast dont block any MCS operation.

Also Avast dont scan new detected USB devices, thats why is needed this 2nd layer protection for USB devices. So there is no conflict between Avast and MCS.

I would recommend as solution to disable that routine to allow MCShield that part of job if you will.  That should be the solution for your problem. Or . . set the MCS's Quarantine folder %path% as an exception in avast!. Quarantine is located in programdata folder.

Code: [Select]
%ProgramData%\MCShield\Quarantine

As solution i add exclusion in Avast (File System Shield) MCS Quarantine folder:
Code: [Select]
C:\ProgramData\MCShield\Quarantine\ selected R and W not X so if any file from quarantine folder try to execute it will be scanned by Avast.

Anyway, I will preform some additional testing and report to dr_Bora.

I try test myself with this settings but MCS cant detect EICAR test file so i have no idea how to test it, and will it work.

Thank you for your feedback.

No problem, im always here to help ;)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on March 13, 2014, 11:09:07 PM
Also Avast dont scan new detected USB devices, thats why is needed this 2nd layer protection for USB devices. So there is no conflict between Avast and MCS.
Not really true. avast! DOES scan any accessed file in the USB devices. Like MCS, it does not scan ALL the files in the USB drive.
I also use MCS as a 2nd layer.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on April 12, 2014, 09:24:23 PM
Hi all,

Fresh MCShield has been released.

Changelog:

version 3.0.5.28: 12th April 2014.

Official homepage:
http://www.mcshield.net/

Cheers,
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on April 13, 2014, 05:15:52 PM
Thanks, already updated. :)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: schmidthouse on April 13, 2014, 05:34:28 PM
+1 :)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Lisandro on April 13, 2014, 06:31:43 PM
Thanks. Already updated.
Last month, I've installed McShield in 3 computers :)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: SafeSurf on April 14, 2014, 09:33:35 AM
@ magna86,

When will MCShield be available for Mac PC's?  Thank you.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on April 15, 2014, 02:40:28 PM
Hi SafeSurf, Hi all,  :)

@ magna86,

When will MCShield be available for Mac PC's?  Thank you.

Probably never unfortunately.

Other rules apply for MAC eco system which means that the program should be re-written from the start and re-test from the beginning.
The authors do not have so much free time plus it is for wonder too . . if it is worth it?

Title: Re: 2nd layer protection for USB drives: MCShield
Post by: SafeSurf on April 17, 2014, 08:17:53 AM
Thank you Magna86.  You have a great program as I use it on my other Windows machine.  I guess I'll have to find something else for the Mac.  :'(  Thank you again for your hard work.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: testingNoobie on April 26, 2014, 10:58:39 AM
 I am still a bit confuse, hope you don't mind answering some question of my. I am asking these question after I have read all 15 page of post.

1)From what I understand MCShield operate on a real time scan whereas avast is on demand when it is regarding a removable drive. So if you choose to scan the removable drive after inserting it will it be the same as MCShield?

2) considering that autorun for windows have been change to autoplay for the user to decide what action to take does this mean that unless the user run the autorun program most threat would not be activated upon inserting?

3) if the removable drive have thousand of file wouldn't that means that it will take at least a few hours to complete scan?
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Pondus on April 26, 2014, 11:04:17 AM
Quote
1)From what I understand MCShield operate on a real time scan whereas avast is on demand when it is regarding a removable drive. So if you choose to scan the removable drive after inserting it will it be the same as MCShield?
No .... and MCShield only look for the type of malware that use removable drive to spread when plugged in
so if you have 50Gig of files on it these will not be checked by MCShield .....for that you use your AV

Quote
2) considering that autorun for windows have been change to autoplay for the user to decide what action to take does this mean that unless the user run the autorun program most threat would not be activated upon inserting?
autorun is only one way these malware spread


Title: Re: 2nd layer protection for USB drives: MCShield
Post by: TwinHeadedEagle on April 26, 2014, 11:29:25 AM
Quote
3) if the removable drive have thousand of file wouldn't that means that it will take at least a few hours to complete scan?

If traces of malware were found, it will take few minutes, but not hours.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on April 26, 2014, 01:32:46 PM
Hi testingNoobie,
Please do not hesitate to ask whatever interests you.  ;)



1) To be more precise, MCS is in idle and waiting for you to attach some USB removable drive and also triggers itself to all possible & known vectors attack that malware can exploit. avast! also monitors the USB device if it is set up in the settings.

The difference between AntiVirus and AntiMalware (MCS) programs is that AV scans are mainly signature based detection. MCS does not need to know is the file malware or not. MCS 'reads them', it reads the file and their executive behavior ...
To read more abaut signature & heuristic detection, you may read what I wrote here some time ago:
http://www.bleepingcomputer.com/forums/t/523938/mcshield-malware-remover-not-mcafee-is-it-safe/?p=3299985



2) USB worms based on autorun.inf file (autorun on XP's and autoplay on newer OS's) are not so common. This is one of the oldest known vectors attack and all AV programs does monitor autorun.inf file and corresponding file (again, only if AV know that file as malware). The ugly truth is different, today malware uses other vectors in order to bypass AV's detection and load itself in host system.



3)
Quote
MCShield is an active (preventive) anti-malware program designed to prevent infections transmitted through removable drives.
Although I have not seen the actually USB mem-device with a real thousand files, but yes, scanning time may take a while in this case. But in most cases, MCS will verify the files in short. In this example, speed time may depends on disk (HDD) speed and actually speed of USB drive (removable drive) itself.













Title: Re: 2nd layer protection for USB drives: MCShield
Post by: testingNoobie on April 26, 2014, 07:15:45 PM

1) To be more precise, MCS is in idle and waiting for you to attach some USB removable drive and also triggers itself to all possible & known vectors attack that malware can exploit. avast! also monitors the USB device if it is set up in the settings.

The difference between AntiVirus and AntiMalware (MCS) programs is that AV scans are mainly signature based detection. MCS does not need to know is the file malware or not. MCS 'reads them', it reads the file and their executive behavior ...
To read more abaut signature & heuristic detection, you may read what I wrote here some time ago:
http://www.bleepingcomputer.com/forums/t/523938/mcshield-malware-remover-not-mcafee-is-it-safe/?p=3299985


I read your post in bleepingcomputer so from what I understand is that MCShield detect and decide for itself whether its dangerous or not, something like an AI? Whereas normal AV detect base on updates, so if it did not receive any update it doesn't know whether the file is a threat or not?


Quote
2) USB worms based on autorun.inf file (autorun on XP's and autoplay on newer OS's) are not so common. This is one of the oldest known vectors attack and all AV programs does monitor autorun.inf file and corresponding file (again, only if AV know that file as malware). The ugly truth is different, today malware uses other vectors in order to bypass AV's detection and load itself in host system.

Do you mind listing some of them so that I will know to be wearily of them or becareful not to click them. Autoplay and autorun is actually the same? I thought autoplay is actually safe.

one thing I would like to know is that is malware with autorun the only one that will trigger on plug in or all malware will trigger on plug in
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Para-Noid on April 26, 2014, 08:09:58 PM
This might help you http://www.softpedia.com/get/Antivirus/MCShield.shtml
and http://www.mcshield.net/

Don't be afraid to use Google to do some research.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Pondus on April 26, 2014, 08:21:33 PM
@testingNoobie    as Para-Noid said ..... dont be afraid to google   ;)     http://lmgtfy.com/?q=dont+be+afraid+to+google+

this i found in one minute
http://resources.infosecinstitute.com/usb-malware/
http://www.darkreading.com/risk-management/how-usb-sticks-cause-data-breach-malware-woes/d/d-id/1099437?
http://antivirus.about.com/od/virusdescriptions/ht/autorunworms.htm
http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=INF/Autorun
https://blog.avast.com/2010/11/03/malware-running-on-autorun/
http://www.infosecurity-magazine.com/view/27703/infautorun-malware-is-most-prevalent-malware-in-july-/

basically, the net is full of info for the one who is curious 

Title: Re: 2nd layer protection for USB drives: MCShield
Post by: BlackHawk1 on May 03, 2014, 07:18:23 PM
Not knocking the program at all, but it just seems like a waste if proper AV is already in place.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Pondus on May 03, 2014, 07:24:03 PM
Not knocking the program at all, but it just seems like a waste if proper AV is already in place.
if you read all the info in this topic ...especially from magna86 and Dr_bora you will see it is not

also if you surf viruses and worms forums section you will see all the good work it does

check MCShield log attached here
http://forum.avast.com/index.php?topic=149818.msg1088692#msg1088692

Quote
=> Malicious files   : 23/23 deleted.
=> Hidden folders    : 2/2 unhidden.
=> Hidden files      : 30/30 unhidden.


Title: Re: 2nd layer protection for USB drives: MCShield
Post by: AdrianH on May 03, 2014, 07:24:30 PM
Not knocking the program at all, but it just seems like a waste if proper AV is already in place.

Wrong. No single AV product is 100%. new threats are created every hour of every day.

If you are using USB sticks and portable drives you need the extra protection.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Asyn on May 03, 2014, 07:24:34 PM
Not knocking the program at all, but it just seems like a waste if proper AV is already in place.
Nope, it can be quite useful.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: BlackHawk1 on May 03, 2014, 07:38:28 PM
Not knocking the program at all, but it just seems like a waste if proper AV is already in place.

Wrong. No single AV product is 100%. new threats are created every hour of every day.

If you are using USB sticks and portable drives you need the extra protection.

Agreed no AV is 100% and layering a million products isn't 100% either. What extra protection? AV I have scans the drive as it's inserted. Autorun disabled. SAFE surfing goes a LONG way.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Pondus on May 03, 2014, 07:57:48 PM
Quote
Autorun disabled. SAFE surfing goes a LONG way.
safe surfing does not help if you insert a infected USB ..... and autorun is just one vector used by those critters

all those with USB infected computers you find in viruses and worms forum section that came for help, did have AV installed





Title: Re: 2nd layer protection for USB drives: MCShield
Post by: AdrianH on May 03, 2014, 08:03:54 PM
Not knocking the program at all, but it just seems like a waste if proper AV is already in place.

Wrong. No single AV product is 100%. new threats are created every hour of every day.

If you are using USB sticks and portable drives you need the extra protection.

Agreed no AV is 100% and layering a million products isn't 100% either. What extra protection? AV I have scans the drive as it's inserted. Autorun disabled. SAFE surfing goes a LONG way.

and if your AV does not have the detection for the latest threat you are infected.

Mcshield gives you a second chance.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: BlackHawk1 on May 03, 2014, 08:09:14 PM
Quote
Autorun disabled. SAFE surfing goes a LONG way.
safe surfing does not help if you insert a infected USB ..... and autorun is just one vector used by those critters

I understand. Good thing I don't share my drives with anyone.

all those with USB infected computers you find in viruses and worms forum section that came for help, did have AV installed

IME people that happens to are, I'll call them, high risk users. Poor choice of AV IMO, doing things and going places they shouldn't, not much experience and common sense either. I have been using KAV since 1996 when it was AVP and I was a very high risk user at one point. In all these years just 1 infection KNOCK ON WOOD! I am reading more on MCS and seeing a lot of false positive reports and trashed drives because of it. I guess if it makes you feel safer... some love to layer to the extreme and I was once that way. I am amazed at how infected some computers can get these days. I don't know how people can screw up so bad. Many go too fast, don't know what they are doing, and allow installs of bundled junk.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: BlackHawk1 on May 03, 2014, 08:11:53 PM

and if your AV does not have the detection for the latest threat you are infected.

Mcshield gives you a second chance.

0day on a USB drive isn't very common, very rare I would say.
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on May 04, 2014, 01:00:25 AM
Hi BlackHawk1  :)

Frequently Asked Questions, here you should have all your answers in Documentation English pdf
http://www.mcshield.net/download.html

Well, there is difference between antivirus and antimalware programs. These are two different things.
Just compare the two probably most popular free products in the security world, Malwarebytes and avast! ...
MCShield is free (non-profit) antimalware program:
- MCS can NOT replace avast! nor any other antivirus.
- do not even try to compare them as they are not the same.

As already been told, AV programs are mainly signature based software. In world, this means that AV has to wait for signature in order to detect in this case the USB based malware or new malware. For this reason, there are various additional anti malware/tools that target either specific infections or come as addition to the primary AV program just as help. MCS is here to help the AV or some other AM program and MCS doesn't need a signature (btw, MCS does have his own database as well) but uses a pattern and varius detection behavior routines in order to detect even new USB based malware as a specialized tool only for this malware type.
That's where the main difference is! This is MCS's job.
For real advanced user, MCShield may not be necessary, but yet again, nor AV is required if IT admin-user know what he is doing.

You mentioned the MCS FP detection. Well, they are now rare but if some FP does occour it is autorun.inf related. Why?
Well, autorun isn't always malware by itself, it is just some form of txt file. autorun.inf is the trigger to the real malware executable file.
What, where and why . . it is explained in some previus dr_Bora's post.

Btw, there is no known 0day USB malware, it is again something ...else. But new and undetected, unknown USB malware does exists.
Btw2, autorun is today the old way (read: unpopular way) to triger/load the malware from USB to system and this exploit apply most on today old XP system, not on Vista and newer OS's, where USB based malware uses some different techniques.
Quote
I am amazed at how infected some computers can get these days. I don't know how people can screw up so bad.
I'm doing this for very, very long time. And trust me, I can not fully figure how they do that.  ;D


...     ...      ...     ...     
You mentioned that you have KAV since 1996 and only one infection at that time. How do you know?
Modern malware has the job not to indicate its presence, to be executed without the knowledge of AV/AV and user, some even to delete itself after executing
in order not to leave traces ...etc. So you're now saying that you had no active (just one) malware during that time? Congratulations, but, how do you know and are you 100% shure?  ;)

Do you have idea how much I examined the system where some AV's has green notify "you are protected, there is no threads" or simething like that but active malware is loaded on the system and preform his job, most users are unaware the presence of malware because they expect that they will feel some bag in system. No, they will probably not feel any bags or something that indicate the malware presence.
Hardware and core-system is far advanced and fast, user in 80% of cases are not aware that is infected BC the user sees his system in perfectly working state.
Unfortunately, many users ask for help for malware removal only when their AV flag some warning.

facts:
AV is must have, without AV, PC life would be difficult and impossible. But AV are not 100% almighty and sometimes AV need some addition help.



Cheers  :)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: BlackHawk1 on May 04, 2014, 05:13:34 AM
Hi BlackHawk1  :)

Frequently Asked Questions, here you should have all your answers in Documentation English pdf
http://www.mcshield.net/download.html

Well, there is difference between antivirus and antimalware programs. These are two different things.
Just compare the two probably most popular free products in the security world, Malwarebytes and avast! ...
MCShield is free (non-profit) antimalware program:
- MCS can NOT replace avast! nor any other antivirus.
- do not even try to compare them as they are not the same.

As already been told, AV programs are mainly signature based software. In world, this means that AV has to wait for signature in order to detect in this case the USB based malware or new malware. For this reason, there are various additional anti malware/tools that target either specific infections or come as addition to the primary AV program just as help. MCS is here to help the AV or some other AM program and MCS doesn't need a signature (btw, MCS does have his own database as well) but uses a pattern and varius detection behavior routines in order to detect even new USB based malware as a specialized tool only for this malware type.
That's where the main difference is! This is MCS's job.
For real advanced user, MCShield may not be necessary, but yet again, nor AV is required if IT admin-user know what he is doing.

You mentioned the MCS FP detection. Well, they are now rare but if some FP does occour it is autorun.inf related. Why?
Well, autorun isn't always malware by itself, it is just some form of txt file. autorun.inf is the trigger to the real malware executable file.
What, where and why . . it is explained in some previus dr_Bora's post.

Btw, there is no known 0day USB malware, it is again something ...else. But new and undetected, unknown USB malware does exists.
Btw2, autorun is today the old way (read: unpopular way) to triger/load the malware from USB to system and this exploit apply most on today old XP system, not on Vista and newer OS's, where USB based malware uses some different techniques.
Quote
I am amazed at how infected some computers can get these days. I don't know how people can screw up so bad.
I'm doing this for very, very long time. And trust me, I can not fully figure how they do that.  ;D


...     ...      ...     ...     
You mentioned that you have KAV since 1996 and only one infection at that time. How do you know?
Modern malware has the job not to indicate its presence, to be executed without the knowledge of AV/AV and user, some even to delete itself after executing
in order not to leave traces ...etc. So you're now saying that you had no active (just one) malware during that time? Congratulations, but, how do you know and are you 100% shure?  ;)

Do you have idea how much I examined the system where some AV's has green notify "you are protected, there is no threads" or simething like that but active malware is loaded on the system and preform his job, most users are unaware the presence of malware because they expect that they will feel some bag in system. No, they will probably not feel any bags or something that indicate the malware presence.
Hardware and core-system is far advanced and fast, user in 80% of cases are not aware that is infected BC the user sees his system in perfectly working state.
Unfortunately, many users ask for help for malware removal only when their AV flag some warning.

facts:
AV is must have, without AV, PC life would be difficult and impossible. But AV are not 100% almighty and sometimes AV need some addition help.



Cheers  :)

Thank you for the reply. I understand where you are coming from with signature/definition, but as you know AV also has file reputation, heuristics/behavioral analysis as well. I am not saying AV is the only thing needed though. I understand there's a difference between antivirus and antimalware to a point... Well not really as malware is anything malicious so technically that falls under both though you may not see it that way. I am guessing you know things have changed and the days of viruses that destroy and alter files are not common these days. When is the last time something as bad as CIH/Chernobyl was around? How many Word macro viruses do you see these days? HTML virus? Authors are done with look what I can write and have moved on to look how much $ I can reap malware. Not showing presence... I disagree as most of it these days is quite obvious even when a persons AV misses it, it's there starring them in the face with popups, degraded system performance, fake warnings, etc. I feel that programs like Malwarebytes and SuperAntiSpyware as well as some others depending on your preference fill a void that AV misses and they are much needed and do a great job. I am quite sure I have only had 1 incident of actual infection in 95... trust me. On Dec. 8, 2005 I did without the help of AV discover a 0day which was named Troj/Edepol-B. It was never activated. It looked suspicious to me and I submitted the sample to several sites. Different vendors ended up giving it different names... Bifrose, Backdoor-CEP, Trojan.Win32.Pakes. Anyway the way I see it MCS is for those rare instances and for people who just love to load up on protection of all kinds and put the list of those in their signatures. :) Layered so much the computer looks like a Mummy. ;)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: Pondus on May 04, 2014, 10:38:42 AM
Quote
Anyway the way I see it MCS is for those rare instances and for people who just love to load up on protection of all kinds and put the list of those in their signatures. :) Layered so much the computer looks like a Mummy. ;)
it should be installed on evry computer on internet cafe / schools / photo shop ...... any place/computer that use lots of removabe storage devices


Quote
How many Word macro viruses do you see these days? HTML virus?
Word macro not many....
HTML virus, many ....evry day
https://www.virustotal.com/nb/file/476517ba131c26954fb0625cad9753dc5ba099dc85d0e64684e4117d4cfdee0a/analysis/
https://www.virustotal.com/nb/file/38f1d1f44fdcc2f7a928bd02359ac864b3da5f382ce1a43156ef3c7bbdad7509/analysis/
https://www.virustotal.com/nb/file/43ea7621cfd8192f3aeaf344f344d283f65bc009c9f22759eaf8cb0bed83ea46/analysis/

Sucuri blog  http://blog.sucuri.net/




Title: Re: 2nd layer protection for USB drives: MCShield
Post by: bob3160 on May 04, 2014, 01:47:26 PM
Quote
Anyway the way I see it MCS is for those rare instances and for people who just love to load up on protection of all kinds and put the list of those in their signatures.  Layered so much the computer looks like a Mummy.

Your computer, your choice.
My computer, my choice.
We probably make different choices. :)
Title: Re: 2nd layer protection for USB drives: MCShield
Post by: magna86 on May 04, 2014, 08:27:27 PM
Hi,  :)

Quote
...but as you know AV also has file reputation, heuristics/behavioral analysis as well.
Yes, of course it does. And powerful ones ... But we are talking abaut worms with attempt to transmitted via removable drives.

Quote
Authors are done with look what I can write and have moved on to look how much $ I can reap malware.
I agree, it is a long known fact. What is the purpose to make an effort just to get something destroyed (unless there is some hidden motive) if you can earn at the same.

Quote
Not showing presence... I disagree as most of it these days is quite obvious even when a persons AV misses it, it's there starring them in the face with popups, degraded system performance, fake warnings, etc.
Not every malware show his presence. We're not talking about "popular" bad PUP software where user will get the warning abaut installation and changing the home page, and we are not talking abaut rogue/ransomware where this malware has the GUI. We are talking about the hardcoded malware. Eg. keylogers, 0access, TDL3/4, varius MBR based ...etc ...


But all this goes behind our story.
MCShield is an additional, antimalware program designed to prevent infections transmitted via removable drives. If you think you do not need it, cool, don't install the program. But that does not mean that some other user does not need help.  ;)


Cheers  :D