2nd layer protection for USB drives: MCShield

[bob3160]

@bob3160: normally, a flash drive is a storage media and if used that way, false detections should not occur, but there's a number of legit programs (example: Lupo Pen Suite and similar, bootable drives, memory cards used in some devices) that use either different autorun methods or exhibit certain behavior that can often be seen on infected drives.To prevent these FPs, MCS has a whitelist containing hashes of a number of known legitimate files that need to be protected from detection. Unfortunately, I'm the only one that maintains this database and I definitely have no way of knowing about every possible program that would need to be protected from detections.Obviously, false positives must happen from time to time and they are fixed when users report them to me.So, if you show me the logfile of that scan, the files are going to be whitelisted and the detections will not reoccur (I need the log because it contains the MD5s of the files).

Thanks for the prompt reply and welcome to the forum dr_bora,
I see the 3 folders in question but, where are they located








>>> MCShield v 2.1.4.13 / DB: 2012.8.28.1 <<<




8/29/2012 4:06:30 PM > Drive F: - scan started (no label ~31183 MB, NTFS flash drive )...


>>> F:\autorun.inf > Suspicious > Renamed.


>>> F:\setup.exe - Suspicious > Renamed. (MD5: 0b60f00ae3f2bb298060f6655612691e)




=> Suspicious files  : 2/2 renamed.


____________________________________________


::::: Scan duration: 37s :::::::::::::::::::
____________________________________________

[bob3160]

The program I used to create the bootable USB comes from Microsoft and can be found at:
http://www.microsoftstore.com/store/msstore/html/pbPage.Help_Win7_usbdvd_dwnTool

[George Yves]

So, unless you go there and start clicking on files you know to be malicious, you won't have any problems.

That is the problem. According to a famous Russian writer Anton Chekhov, "If in the first act you have hung a pistol on the wall, then in the following one it could be fired."

[Chris Thomas]

Will this work with Windows 8?

[bob3160]

Will this work with Windows 8?

I'm running Windows 8    so you be the judge. 

[George Yves]

As I said I can't use MCShield on my home computer. But could anybody advise me any freeware analogue?

[Lisandro]

I never heard one... This is why I've aired it out at the beginning. Seems unique (by now).

[dr_Bora]

@bob3160, sorry for the late reply, I was away.

The file in the log, setup.exe, is whitelisted in DB 2012.8.31 and won't be detected anymore.

Regarding those folders... They are not from the same scan as the Setup program. Unless you're 100% sure that those are of legitimate origin, just leave them quarantined.

[bob3160]

@bob3160, sorry for the late reply, I was away.

The file in the log, setup.exe, is whitelisted in DB 2012.8.31 and won't be detected anymore.

Regarding those folders... They are not from the same scan as the Setup program. Unless you're 100% sure that those are of legitimate origin, just leave them quarantined.

They are a part of the original .iso dowload from Microsoft.

[Lisandro]

MCShield in action for me for the first time:

>>> MCShield v 2.1.4.13 / DB: 2012.8.31.1 <<<
01/09/2012 14:49:04 > Drive H: - scan started (~3817 MB, FAT32 flash drive )...
>>> H:\autorun.inf > Suspicious > Renamed.
>>> H:\SecureII\Windows\SecureII.exe - Suspicious > Renamed. (MD5: a56e7680a6d2940dafa668585a89d5a2)

=> Suspicious files  : 2/2 renamed.
____________________________________________

::::: Scan duration: 20s :::::::::::::::::::
____________________________________________

But seems a false positive:
https://www.virustotal.com/file/f1850adf458d0610ad84d6eab622ed49aea2f597375465c088784f0d46727722/analysis/


By the way, the light on the usb stick becomes RED when this happen
Is it a coincidence?

[bob3160]

MCShield in action for me for the first time:

>>> MCShield v 2.1.4.13 / DB: 2012.8.31.1 <<<
01/09/2012 14:49:04 > Drive H: - scan started (~3817 MB, FAT32 flash drive )...
>>> H:\autorun.inf > Suspicious > Renamed.
>>> H:\SecureII\Windows\SecureII.exe - Suspicious > Renamed. (MD5: a56e7680a6d2940dafa668585a89d5a2)

=> Suspicious files  : 2/2 renamed.
____________________________________________

::::: Scan duration: 20s :::::::::::::::::::
____________________________________________

But seems a false positive:
https://www.virustotal.com/file/f1850adf458d0610ad84d6eab622ed49aea2f597375465c088784f0d46727722/analysis/


By the way, the light on the usb stick becomes RED when this happen
Is it a coincidence?

Exactly what happened to me and made my bootable USB un-bootable.
I've removed it and am letting avast! do the job.

[schmidthouse]

Just to update.
Ive used MCShield now for a few days and a dozen or so different Flash Drives given me and no problem with the Shield doing its job under my circumstances.
With the bootable Flash Drive it seems there are limitations or something......I don't know.
Anyway, for me, I'm running it every day and like it much better then USB Vacine.

[Lisandro]

For sure it would be better to configure it to "ask" and not to automatically take actions.

[schmidthouse]

For sure it would be better to configure it to "ask" and not to automatically take actions.

+100  Agreed it would 
Edit:  Possibly one of the authors could take note.

[dr_Bora]

@Tech, the file is whitelisted, detection won't occur after update.

@bob2160, don't get me wrong, I'm not here to argue, but... The program just did what it is meant to do.
Basically, it's a generic scanner (probably 99% of detections are infection based heuristics) meant to block USB transmitted malware using any known attack vector.
Because of the fact that files on removable drives are not critical for the proper functionality of your OS, MCS can go a step further than an antivirus can and be much more aggressive. Precisely that is the reason why I never got any reports of flash infections on computers running MCS in a period of more than 2 years.
And no, I'm not saying it detects everything, but it detects enough to prevent infections.
Anyway, thanks for trying and the feedback, it's appreciated.


These generic autorun detections simply happen when a new/updated software using autorun feature is published. When I'm informed about it, the detections get prevented. That's the only way I can make sure that a PC doesn't get infected using autorun. Alternative would be to do as an AV does: wait for a signature of a piece of malware (but that would make MCS quite pointless: it's suppose to help the AV with new malware, not have the same "problem" as the AV does).

Bootable drives are treated the same way as any other drive and there are no special issues regarding those. I'll do some testing with Win8 setup flash disk to see what are those folders doing there (it's a name for a protected system folder, I have a hard time understanding why would MS put those folders on a setup disk - if they are supposed to be there, I'll adjust the program logic behind those detections /that detection is not database based, it is hardcoded - folder with that name, in the root of a drive can be both legit and bad; the program tries to determine what is what.../).

schmidthouse mentioned Panda... No intention to talk bad about "competition"  , just believe that this needs to be said: Panda USB vaccine provides a certain amount of protection on older operating systems where autorun functionality can be exploited. It creates an autorun.inf file (which can be considered as a loading point) and sets an illegal attribute on it (instead of being marked as a file, that autorun.inf is marked as a volume and because of that can not be opened using standard Windows functions). There are two things to note regarding this:
- autorun is just one of the ways the infection can be started;
- this is not bulletproof; although they say you need to format the drive to remove the file, that file can be removed (a dll that comes with MCS has functions that can both create those files and remove them - this is not used because I think it is not a good approach, but, the point is, if MCS can do it, what is to prevent malware from doing it?).



Automatic mode and why MCS can't ask what to do... First, some things are time critical (autorun and the exploits), I can't ask because by the time user responds it could be to late. Second, malware uses a lot of tricks and an average user doesn't have enough knowledge to respond properly.
An example: MCShield scans a memory card on a camera and tells the user that X:\DCIM.exe is malware... Most people would think I'm insane and that I'm trying to delete their pictures because a folder named DCIM is where their pictures are. Of course, this is simple stuff for a power user, but for an average one, it's not really that simple.

Anyway, to implement some kind of expert mode where program would do what must be done right away and then ask the user for the rest would be brutally complicated and require a total rewrite of the program. To do this, I'd have to stop working on malware detection routines for at least six month and I'm not sure it's worth it. Yes, I know it doesn't look good when the first thing a program does is to make a false positive, but belive me when I say it doesn't happen that often. Currently, the whitelist contains only 111 files that had to be protected from detection. Don't know what you think of it, but I'd say that's not bad considering the program is more that 2 years old and that the number of treated items reported so far is 223173.