Author Topic: 2nd layer protection for USB drives: MCShield  (Read 116364 times)

0 Members and 1 Guest are viewing this topic.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37195
Re: 2nd layer protection for USB drives: MCShield
« Reply #225 on: May 03, 2014, 07:24:03 PM »
Not knocking the program at all, but it just seems like a waste if proper AV is already in place.
if you read all the info in this topic ...especially from magna86 and Dr_bora you will see it is not

also if you surf viruses and worms forums section you will see all the good work it does

check MCShield log attached here
http://forum.avast.com/index.php?topic=149818.msg1088692#msg1088692

Quote
=> Malicious files   : 23/23 deleted.
=> Hidden folders    : 2/2 unhidden.
=> Hidden files      : 30/30 unhidden.


« Last Edit: May 03, 2014, 07:26:29 PM by Pondus »

AdrianH

  • Guest
Re: 2nd layer protection for USB drives: MCShield
« Reply #226 on: May 03, 2014, 07:24:30 PM »
Not knocking the program at all, but it just seems like a waste if proper AV is already in place.

Wrong. No single AV product is 100%. new threats are created every hour of every day.

If you are using USB sticks and portable drives you need the extra protection.

Offline Asyn

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 75400
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: 2nd layer protection for USB drives: MCShield
« Reply #227 on: May 03, 2014, 07:24:34 PM »
Not knocking the program at all, but it just seems like a waste if proper AV is already in place.
Nope, it can be quite useful.
Win 8.1 [x64] - Avast PremSec 22.5.7216.B [UI.704] - Firefox ESR 91.9 [NS/uBO/PB] - Thunderbird 91.9.0
Avast-Tools: Secure Browser 101.0 - Cleanup 22.2 - SecureLine 5.18 - Driver Updater 22.2 - CCleaner 6.0
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

BlackHawk1

  • Guest
Re: 2nd layer protection for USB drives: MCShield
« Reply #228 on: May 03, 2014, 07:38:28 PM »
Not knocking the program at all, but it just seems like a waste if proper AV is already in place.

Wrong. No single AV product is 100%. new threats are created every hour of every day.

If you are using USB sticks and portable drives you need the extra protection.

Agreed no AV is 100% and layering a million products isn't 100% either. What extra protection? AV I have scans the drive as it's inserted. Autorun disabled. SAFE surfing goes a LONG way.
« Last Edit: May 03, 2014, 07:40:27 PM by BlackHawk1 »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37195
Re: 2nd layer protection for USB drives: MCShield
« Reply #229 on: May 03, 2014, 07:57:48 PM »
Quote
Autorun disabled. SAFE surfing goes a LONG way.
safe surfing does not help if you insert a infected USB ..... and autorun is just one vector used by those critters

all those with USB infected computers you find in viruses and worms forum section that came for help, did have AV installed






AdrianH

  • Guest
Re: 2nd layer protection for USB drives: MCShield
« Reply #230 on: May 03, 2014, 08:03:54 PM »
Not knocking the program at all, but it just seems like a waste if proper AV is already in place.

Wrong. No single AV product is 100%. new threats are created every hour of every day.

If you are using USB sticks and portable drives you need the extra protection.

Agreed no AV is 100% and layering a million products isn't 100% either. What extra protection? AV I have scans the drive as it's inserted. Autorun disabled. SAFE surfing goes a LONG way.

and if your AV does not have the detection for the latest threat you are infected.

Mcshield gives you a second chance.

BlackHawk1

  • Guest
Re: 2nd layer protection for USB drives: MCShield
« Reply #231 on: May 03, 2014, 08:09:14 PM »
Quote
Autorun disabled. SAFE surfing goes a LONG way.
safe surfing does not help if you insert a infected USB ..... and autorun is just one vector used by those critters

I understand. Good thing I don't share my drives with anyone.

all those with USB infected computers you find in viruses and worms forum section that came for help, did have AV installed

IME people that happens to are, I'll call them, high risk users. Poor choice of AV IMO, doing things and going places they shouldn't, not much experience and common sense either. I have been using KAV since 1996 when it was AVP and I was a very high risk user at one point. In all these years just 1 infection KNOCK ON WOOD! I am reading more on MCS and seeing a lot of false positive reports and trashed drives because of it. I guess if it makes you feel safer... some love to layer to the extreme and I was once that way. I am amazed at how infected some computers can get these days. I don't know how people can screw up so bad. Many go too fast, don't know what they are doing, and allow installs of bundled junk.

BlackHawk1

  • Guest
Re: 2nd layer protection for USB drives: MCShield
« Reply #232 on: May 03, 2014, 08:11:53 PM »

and if your AV does not have the detection for the latest threat you are infected.

Mcshield gives you a second chance.

0day on a USB drive isn't very common, very rare I would say.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4239
    • Ambulanta MyCity Forum - ASAP Member
Re: 2nd layer protection for USB drives: MCShield
« Reply #233 on: May 04, 2014, 01:00:25 AM »
Hi BlackHawk1  :)

Frequently Asked Questions, here you should have all your answers in Documentation English pdf
http://www.mcshield.net/download.html

Well, there is difference between antivirus and antimalware programs. These are two different things.
Just compare the two probably most popular free products in the security world, Malwarebytes and avast! ...
MCShield is free (non-profit) antimalware program:
- MCS can NOT replace avast! nor any other antivirus.
- do not even try to compare them as they are not the same.

As already been told, AV programs are mainly signature based software. In world, this means that AV has to wait for signature in order to detect in this case the USB based malware or new malware. For this reason, there are various additional anti malware/tools that target either specific infections or come as addition to the primary AV program just as help. MCS is here to help the AV or some other AM program and MCS doesn't need a signature (btw, MCS does have his own database as well) but uses a pattern and varius detection behavior routines in order to detect even new USB based malware as a specialized tool only for this malware type.
That's where the main difference is! This is MCS's job.
For real advanced user, MCShield may not be necessary, but yet again, nor AV is required if IT admin-user know what he is doing.

You mentioned the MCS FP detection. Well, they are now rare but if some FP does occour it is autorun.inf related. Why?
Well, autorun isn't always malware by itself, it is just some form of txt file. autorun.inf is the trigger to the real malware executable file.
What, where and why . . it is explained in some previus dr_Bora's post.

Btw, there is no known 0day USB malware, it is again something ...else. But new and undetected, unknown USB malware does exists.
Btw2, autorun is today the old way (read: unpopular way) to triger/load the malware from USB to system and this exploit apply most on today old XP system, not on Vista and newer OS's, where USB based malware uses some different techniques.
Quote
I am amazed at how infected some computers can get these days. I don't know how people can screw up so bad.
I'm doing this for very, very long time. And trust me, I can not fully figure how they do that.  ;D


...     ...      ...     ...     
You mentioned that you have KAV since 1996 and only one infection at that time. How do you know?
Modern malware has the job not to indicate its presence, to be executed without the knowledge of AV/AV and user, some even to delete itself after executing
in order not to leave traces ...etc. So you're now saying that you had no active (just one) malware during that time? Congratulations, but, how do you know and are you 100% shure?  ;)

Do you have idea how much I examined the system where some AV's has green notify "you are protected, there is no threads" or simething like that but active malware is loaded on the system and preform his job, most users are unaware the presence of malware because they expect that they will feel some bag in system. No, they will probably not feel any bags or something that indicate the malware presence.
Hardware and core-system is far advanced and fast, user in 80% of cases are not aware that is infected BC the user sees his system in perfectly working state.
Unfortunately, many users ask for help for malware removal only when their AV flag some warning.

facts:
AV is must have, without AV, PC life would be difficult and impossible. But AV are not 100% almighty and sometimes AV need some addition help.



Cheers  :)
« Last Edit: May 04, 2014, 01:04:37 AM by magna86 »

BlackHawk1

  • Guest
Re: 2nd layer protection for USB drives: MCShield
« Reply #234 on: May 04, 2014, 05:13:34 AM »
Hi BlackHawk1  :)

Frequently Asked Questions, here you should have all your answers in Documentation English pdf
http://www.mcshield.net/download.html

Well, there is difference between antivirus and antimalware programs. These are two different things.
Just compare the two probably most popular free products in the security world, Malwarebytes and avast! ...
MCShield is free (non-profit) antimalware program:
- MCS can NOT replace avast! nor any other antivirus.
- do not even try to compare them as they are not the same.

As already been told, AV programs are mainly signature based software. In world, this means that AV has to wait for signature in order to detect in this case the USB based malware or new malware. For this reason, there are various additional anti malware/tools that target either specific infections or come as addition to the primary AV program just as help. MCS is here to help the AV or some other AM program and MCS doesn't need a signature (btw, MCS does have his own database as well) but uses a pattern and varius detection behavior routines in order to detect even new USB based malware as a specialized tool only for this malware type.
That's where the main difference is! This is MCS's job.
For real advanced user, MCShield may not be necessary, but yet again, nor AV is required if IT admin-user know what he is doing.

You mentioned the MCS FP detection. Well, they are now rare but if some FP does occour it is autorun.inf related. Why?
Well, autorun isn't always malware by itself, it is just some form of txt file. autorun.inf is the trigger to the real malware executable file.
What, where and why . . it is explained in some previus dr_Bora's post.

Btw, there is no known 0day USB malware, it is again something ...else. But new and undetected, unknown USB malware does exists.
Btw2, autorun is today the old way (read: unpopular way) to triger/load the malware from USB to system and this exploit apply most on today old XP system, not on Vista and newer OS's, where USB based malware uses some different techniques.
Quote
I am amazed at how infected some computers can get these days. I don't know how people can screw up so bad.
I'm doing this for very, very long time. And trust me, I can not fully figure how they do that.  ;D


...     ...      ...     ...     
You mentioned that you have KAV since 1996 and only one infection at that time. How do you know?
Modern malware has the job not to indicate its presence, to be executed without the knowledge of AV/AV and user, some even to delete itself after executing
in order not to leave traces ...etc. So you're now saying that you had no active (just one) malware during that time? Congratulations, but, how do you know and are you 100% shure?  ;)

Do you have idea how much I examined the system where some AV's has green notify "you are protected, there is no threads" or simething like that but active malware is loaded on the system and preform his job, most users are unaware the presence of malware because they expect that they will feel some bag in system. No, they will probably not feel any bags or something that indicate the malware presence.
Hardware and core-system is far advanced and fast, user in 80% of cases are not aware that is infected BC the user sees his system in perfectly working state.
Unfortunately, many users ask for help for malware removal only when their AV flag some warning.

facts:
AV is must have, without AV, PC life would be difficult and impossible. But AV are not 100% almighty and sometimes AV need some addition help.



Cheers  :)

Thank you for the reply. I understand where you are coming from with signature/definition, but as you know AV also has file reputation, heuristics/behavioral analysis as well. I am not saying AV is the only thing needed though. I understand there's a difference between antivirus and antimalware to a point... Well not really as malware is anything malicious so technically that falls under both though you may not see it that way. I am guessing you know things have changed and the days of viruses that destroy and alter files are not common these days. When is the last time something as bad as CIH/Chernobyl was around? How many Word macro viruses do you see these days? HTML virus? Authors are done with look what I can write and have moved on to look how much $ I can reap malware. Not showing presence... I disagree as most of it these days is quite obvious even when a persons AV misses it, it's there starring them in the face with popups, degraded system performance, fake warnings, etc. I feel that programs like Malwarebytes and SuperAntiSpyware as well as some others depending on your preference fill a void that AV misses and they are much needed and do a great job. I am quite sure I have only had 1 incident of actual infection in 95... trust me. On Dec. 8, 2005 I did without the help of AV discover a 0day which was named Troj/Edepol-B. It was never activated. It looked suspicious to me and I submitted the sample to several sites. Different vendors ended up giving it different names... Bifrose, Backdoor-CEP, Trojan.Win32.Pakes. Anyway the way I see it MCS is for those rare instances and for people who just love to load up on protection of all kinds and put the list of those in their signatures. :) Layered so much the computer looks like a Mummy. ;)

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37195
Re: 2nd layer protection for USB drives: MCShield
« Reply #235 on: May 04, 2014, 10:38:42 AM »
Quote
Anyway the way I see it MCS is for those rare instances and for people who just love to load up on protection of all kinds and put the list of those in their signatures. :) Layered so much the computer looks like a Mummy. ;)
it should be installed on evry computer on internet cafe / schools / photo shop ...... any place/computer that use lots of removabe storage devices


Quote
How many Word macro viruses do you see these days? HTML virus?
Word macro not many....
HTML virus, many ....evry day
https://www.virustotal.com/nb/file/476517ba131c26954fb0625cad9753dc5ba099dc85d0e64684e4117d4cfdee0a/analysis/
https://www.virustotal.com/nb/file/38f1d1f44fdcc2f7a928bd02359ac864b3da5f382ce1a43156ef3c7bbdad7509/analysis/
https://www.virustotal.com/nb/file/43ea7621cfd8192f3aeaf344f344d283f65bc009c9f22759eaf8cb0bed83ea46/analysis/

Sucuri blog  http://blog.sucuri.net/




« Last Edit: May 04, 2014, 11:01:03 AM by Pondus »

Offline bob3160

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 47035
  • 62 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: 2nd layer protection for USB drives: MCShield
« Reply #236 on: May 04, 2014, 01:47:26 PM »
Quote
Anyway the way I see it MCS is for those rare instances and for people who just love to load up on protection of all kinds and put the list of those in their signatures.  Layered so much the computer looks like a Mummy.

Your computer, your choice.
My computer, my choice.
We probably make different choices. :)
Free avast! Security Seminar: http://bit.ly/2N1eaR2  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v21H2 64bit, 16 Gig Ram, 1TB SSD, Avast One 21.11, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bi

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4239
    • Ambulanta MyCity Forum - ASAP Member
Re: 2nd layer protection for USB drives: MCShield
« Reply #237 on: May 04, 2014, 08:27:27 PM »
Hi,  :)

Quote
...but as you know AV also has file reputation, heuristics/behavioral analysis as well.
Yes, of course it does. And powerful ones ... But we are talking abaut worms with attempt to transmitted via removable drives.

Quote
Authors are done with look what I can write and have moved on to look how much $ I can reap malware.
I agree, it is a long known fact. What is the purpose to make an effort just to get something destroyed (unless there is some hidden motive) if you can earn at the same.

Quote
Not showing presence... I disagree as most of it these days is quite obvious even when a persons AV misses it, it's there starring them in the face with popups, degraded system performance, fake warnings, etc.
Not every malware show his presence. We're not talking about "popular" bad PUP software where user will get the warning abaut installation and changing the home page, and we are not talking abaut rogue/ransomware where this malware has the GUI. We are talking about the hardcoded malware. Eg. keylogers, 0access, TDL3/4, varius MBR based ...etc ...


But all this goes behind our story.
MCShield is an additional, antimalware program designed to prevent infections transmitted via removable drives. If you think you do not need it, cool, don't install the program. But that does not mean that some other user does not need help.  ;)


Cheers  :D