2nd layer protection for USB drives: MCShield

[magna86]

Thank you. I will report this ...

[bob3160]

On my Dell I5 Laptop - Windows 8.1 Pro 64 bit, display is 1600X900
I don't have that problem:

[schmidthouse]

I see, thanks for SS.

Please just tell me the screen resolution so I can check what may be the problem.

Just got back

1680x1050 

[magna86]

Thank you schmidthouse, ky331 and to you Bob, thank you all again. We do appreciate any feedback. 


FYI:
dr_Bora has been reproduced the error. We are working on the problem...

[ky331]

"dr_Bora has been reproduced the error."

Is there a preliminary conjecture as to what configurations cause the problem? --- what makes it happen on some particular systems but not others?

[dr_Bora]

Hello.
The problem is related to DPI settings on the PC ("size of text and other items").
We're looking into the possibilities... It's not really the simplest one to fix.

Just tell me this: did you guys change the settings yourself or was it done by Windows?

[ky331]

Looking at my Display setting,  I see it's set for Medium:  125% (which I believe equates to 120 DPI).   It's been so long, but I'd have to say I opted for that myself... my eyes are getting worse, so it's easier to see things when enlarged.

My video driver updated itself automatically about two months ago... I was not happy when it did so without checking with me first... I would NOT have permitted it, had I been asked.

I also accidentally adjusted my Display/Color settings about a month ago... and couldn't figure out how to get back the previous settings... and have settled on an acceptable variation.

[schmidthouse]

Hello.
The problem is related to DPI settings on the PC ("size of text and other items").
We're looking into the possibilities... It's not really the simplest one to fix.

Just tell me this: did you guys change the settings yourself or was it done by Windows?

I didn't change any settings that I'm aware of? 

[Simion]

MCShield v3.0.4.27

v 3.0.4.27: 2nd February 2014.

- fixed an issue that caused the scanner to crash on certain locked files;
- updated Vietnamese language.

http://www.mcshield.net/

[juuki]

The quarantine and occasional detections that AVs make in there... Yes, I agree that this is not perfect and the other programmer and I discussed the encryption many times, but we never got to making it. You know, real life, jobs and stuff like that. Hopefully, we'll get to it one day.

Is the quarantine safe? Well, malware in that folder can't start by itself. So, unless you go there and start clicking on files you know to be malicious, you won't have any problems.

If MCshield detect any malware and quarantine it, avast detect that quarantine file and delite it.
As encryption havent add to program is there any other way to avoit this "conflict"?

[magna86]

Hi juuki,

If MCshield detect any malware and quarantine it, avast detect that quarantine file and delite it.

Just to clarify. Any malware with intent to be transmitted via removable drives. 

As encryption havent add to program is there any other way to avoit this "conflict"?

Encryption is added to MCS's Quarantine. Are you sure you have the latest version installed?

Avast shouldn't touch MCS's Quarantine. If "Quarantine" conflict does exists (there is always a possibility for avast to detects malicious files in MCS's Quarantine based on his heuristics check), little can be done I think except to clear the MCS Quarantine folder as I do not see that as a problem.

[juuki]

Encryption is added to MCS's Quarantine. Are you sure you have the latest version installed?

I have last version (as you can see in attachment, left is last downloaded version from theit website and right is my installed version).
Encryption is not added to MCS. Have no idea where you get that information.

Avast shouldn't touch MCS's Quarantine. If "Quarantine" conflict does exists (there is always a possibility for avast to detects malicious files in MCS's Quarantine based on his heuristics check), little can be done I think except to clear the MCS Quarantine folder as I do not see that as a problem.

Avast scan all changes made so when MCS send file to quarantine Avast also scan that quarantine folder.

In my case i insert USB. MCS detected 4 malware, i delite 3 and 1 is ingored.

Here is log:

Code: [Select]

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.4.27 / DB: 2014.3.10.1 / Windows 7 <<<


12.3.2014. 17:05:17 > Drive F: - scan started (no label ~1960 MB, FAT flash drive )...


>>> F:\AVTORUN\Desktop.ini > ignored (user request). (MD5: f05d6580608901fa2aea2a1e711a8ff4)

> F:\AVTORUN
> F:\AVTORUN\Desktop.ini (MD5: f05d6580608901fa2aea2a1e711a8ff4)
> F:\AVTORUN\slovenec.exe (MD5: eb722f24b9affb0ecaf41cff09d0b241)

>>> F:\AVTORUN - Malware (folder) > Deleted. (14.03.12. 17.07 AVTORUN.45284)

> F:\ZNOJE
> F:\ZNOJE\Desktop.ini (MD5: f05d6580608901fa2aea2a1e711a8ff4)
> F:\ZNOJE\misejaja.exe (MD5: d6f30cf036932f1511c6a66e886a3868)

>>> F:\ZNOJE - Malware (folder) > Deleted. (14.03.12. 17.07 ZNOJE.314628)

> F:\NATASA
> F:\NATASA\Desktop.ini (MD5: f05d6580608901fa2aea2a1e711a8ff4)
> F:\NATASA\pazhin.exe (MD5: d5a130c139ebb1b133916823a065f3b5)

>>> F:\NATASA - Malware (folder) > Deleted. (14.03.12. 17.07 NATASA.118917)

>>> F:\xfl3hx.exe - Suspicious > Renamed. (MD5: 8b1fad2127a9920b4cf2cd6ff9306ce5)


=> Malicious files   : 6/6 deleted.
=> Malicious folders : 3/3 deleted.
=> Suspicious files  : 1/1 renamed.

____________________________________________

::::: Scan duration: 2min 15sec ::::::::::::
____________________________________________

after that Avast automaticly scan MCS quarantine, detect and delite that three malware.

Here is Avast FileSystemShield log:

Code: [Select]

* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Wednesday, March 12, 2014 4:20:49 PM
*

12.3.2014. 17:07:22 C:\ProgramData\MCShield\Quarantine\14.03.12. 17.07 AVTORUN.45284\slovenec.exe|>[UPX] [L] Win32:MalOb-IJ [Cryp] (0)
File was successfully moved to chest...
12.3.2014. 17:07:28 C:\ProgramData\MCShield\Quarantine\14.03.12. 17.07 ZNOJE.314628\misejaja.exe [L] Win32:Evo-gen [Susp] (0)
File was successfully moved to chest...
12.3.2014. 17:07:29 C:\ProgramData\MCShield\Quarantine\14.03.12. 17.07 NATASA.118917\pazhin.exe|>[UPX] [L] Win32:MalOb-AI [Cryp] (0)
File was successfully moved to chest...

[magna86]

Hi juuki,

Encryption is not added to MCS. Have no idea where you get that information.

Juuki believe me, I know. 
Encription is added to MCShield Quarantine since version 2 (2.2.3.15) in October 2012.
public info: official site > changelog

In my case i insert USB. MCS detected 4 malware, i delite 3 and 1 is ingored.

I understand.

By logs my guess are that MCS has attempt to set and pack the malicious files in his Quarantine but avast! has block that operation. avast! has the routine to scan all new detected USB devices. Conflict may arises when AV (in this case avast!) wants to be the first in scanning, thereby not allowing access to the disk. MCShield attempts to access to disk as well to preform scanning and glitch occurs.

I would recommend as solution to disable that routine to allow MCShield that part of job if you will.  That should be the solution for your problem. Or . . set the MCS's Quarantine folder %path% as an exception in avast!. Quarantine is located in programdata folder.

Code: [Select]

%ProgramData%\MCShield\Quarantine
Anyway, I will preform some additional testing and report to dr_Bora.

Or you can use our contact support form.
http://www.mcshield.net/contactus.html

Thank you for your feedback.

[juuki]

By logs my guess are that MCS has attempt to set and pack the malicious files in his Quarantine but avast! has block that operation. avast! has the routine to scan all new detected USB devices. Conflict may arises when AV (in this case avast!) wants to be the first in scanning, thereby not allowing access to the disk. MCShield attempts to access to disk as well to preform scanning and glitch occurs.

MCS detect and send malicious files in quarantine. After that Avast detect that "new" files in quarantine and delite it or send it to ist quarantine.
Avast dont block any MCS operation.

Also Avast dont scan new detected USB devices, thats why is needed this 2nd layer protection for USB devices. So there is no conflict between Avast and MCS.

I would recommend as solution to disable that routine to allow MCShield that part of job if you will.  That should be the solution for your problem. Or . . set the MCS's Quarantine folder %path% as an exception in avast!. Quarantine is located in programdata folder.

Code: [Select]

%ProgramData%\MCShield\Quarantine

As solution i add exclusion in Avast (File System Shield) MCS Quarantine folder:

Code: [Select]

C:\ProgramData\MCShield\Quarantine\ selected R and W not X so if any file from quarantine folder try to execute it will be scanned by Avast.

Anyway, I will preform some additional testing and report to dr_Bora.

I try test myself with this settings but MCS cant detect EICAR test file so i have no idea how to test it, and will it work.

Thank you for your feedback.

No problem, im always here to help

[Lisandro]

Also Avast dont scan new detected USB devices, thats why is needed this 2nd layer protection for USB devices. So there is no conflict between Avast and MCS.

Not really true. avast! DOES scan any accessed file in the USB devices. Like MCS, it does not scan ALL the files in the USB drive.
I also use MCS as a 2nd layer.