2nd layer protection for USB drives: MCShield

[schmidthouse]

@ dr_Bora.
Thanks for the added information.
I appreciate the time you've taken to explain your program.

[Lisandro]

Thanks Bora.
I can follow the logic behind the programming decisions.

[polonus]

Hi folks,

My forum friend, Pondus, alerted me to this 2nd layer protection for usb, and I decided to install. If something is detected it alerts early in the scan sequence that the particular drive is infected, and you are advised not to interrupt. Advanced users will like to check against a FP. On the other hand the logs neatly produce a hash for what is found, but that is sometimes no garantuee for getting the actual infection info you'd like to have a verifiable indication.
The only software that is specific for USB, but has to come installed there or on the PC  is called MX One Antivirus, it is a Mexican freeware and runs neatly alongside your resident av solution. I did missed the comparison of these two products in this thread. Maybe someone can comment?
Also good is when you do not travel or use peripherals, you can disable it for the time you have no need for it.
I would say, a little minus for the interfase being a bit basic, big plus for detection of  infections that normally go under the detection radar, like desktop.ini etc. Use it like "an extra mirror to look into the normally blind corners",

polonus

[Theo Peterbroers]

And while we're at it, here are some more USB antivirus products.

PNY antivirus, http://www. y2000.com.tw/Engweb/pnyusbav.html (rebranded Snowy Owl antivirus)
Naevius USB Antivirus http://www. naevius.com/usb_antivirus.htm

I know for sure, that there are more USB antivirus products that I did not bookmark. Any interest in a list?

[Theo Peterbroers]

Naevius is also referred to from the future (Posted on 05-07-2013):
hXXp://www. bestfreeantivirus2013.net/ free-ernt-system-antivirus-2013/

They also have links to Free Usb Flash Drive Autorun Antivirus 2013 and Free Antisapetik Usb 2013 Antivirus
hXXp://www. bestfreeantivirus2013.net/ free-usb-flash-drive-autorun-antivirus-2013/
hXXp://www. bestfreeantivirus2013.net/ free-antisapetik-usb-2013-antivirus/

EDIT And some more, seems to be a lukewarm item, I might say 'somewhat trending' to keep up with the hipsters.
hXXp://download. cnet.com/USB-Drive-Antivirus/3000-2239_4-10841283.html
hXXp://www. usbantivirus.net/
hXXp://www. trustport.com/en/products/trustport-usb-antivirus
hXXp://www. softpedia.com/downloadTag/USB+Antivirus (GGreat is Snowy Owl, see previous post)
hXXp://thepcsecurity. com/mx-one-free-usb-portable-antivirus-for-malware-removal/
hXXp://usb-av-antivirus. en.malavida.com/
hXXp://www. hongkiat.com/blog/tools-to-protect-computer-from-infected-usb-drives/

[polonus]

Hi Kwartet!,

Thanks for the survey. Handy for those testers out here....
This thread will probably continue because protection of peripheral (flash) disks will be more and more of an issue for all of us.

From Plug and Play and  then Pray to Plug and Play in a Better and more  Secure Way...

The rhyme quote I made up myself...

As I look for effectiveness and I compare MX One to McShield 2.1.413 I would go for the second solution.
On an old usb stick that I scanned  McShield found another issue, an autorun.inf and came to rename that.
MX One just found a lot of unknown files always and wanted to send these home for further evaluation.
So it reminded me more of a data collection tool.
The actions thereof reminded me of the RUBotted beta tool.
It sits there in the background and never alerted me to anything and the logs are still empty from the mo I installed it..
The only thing I like McShield  to add really is possible user interaction before malcode is being processed,
so there is room for a second op....

polonus

[George Yves]

The only software that is specific for USB, but has to come installed there or on the PC  is called MX One Antivirus, it is a Mexican freeware and runs neatly alongside your resident av solution. I did missed the comparison of these two products in this thread. Maybe someone can comment?

I tried to install this program. First of all, I want to note that I could not download it from the manufacturer. After clicking on the download button I was redirected to another site that has been blocked by Bitdefender Traffic Lights extension in my Firefox as a site with malicious content. Well, I opened Google Search and found http://mx-one-antivirus.en.malavida.com/ where I downloaded not the installation file but a small program that in its turn downloaded the installation file right on my desctop. After that I started the installation process during which Avast's Autosandbox asked me several times if I want to start every component sandboxed.

The first window asked me what I want: to install the program on a USB or on my computer. I chose the second option. Then I was asked about the installation process language and I chose Russian. During the process I was asked if I would like to install a Babylon toolbar and I had to uncheck three boxes to refuse. One of the windows asked me to choose the interface language - I had to choose English because they haven't Russian. Strange but they could find Russian only for the installation windows. After the installation I got the program's icon in the system tray - a simple blue square with white letters "MO". Not very informative, I think. When I right-clicked it I saw a menu not fully translated from Spanish and with automatically checked option "Disable Real Time Protection".

Then I was prompted that the program needs to update its database and I allowed the updating. It took less than 20 seconds to update the database. Now I tried to test the program. I don't have an infected USB and I inserted one of my USBs just to see it in action. In two seconds I saw the result (see my screenhot 2). I clicked OK and got the suggestion to analyze the USB by full (screenshot 3). I agreed and instantly got the same result as in MO1. I clicked OK again and saw the scan results window (screenshot 4). I closed the window and saw the main window (screenshot 1) which I closed too.

My first impression is that the program is fast but the interface needs a lot of improvement and translation.

     

[schmidthouse]

Hi: I continue to use MCShield v.2.1.4 with no problems.
I have it set as 'on demand'. When using USB I execute MCS before inserting device. MCS updates immediatlely and then scans the Flashdrive.
I then allow MCS to run as I work through various Flashdrives.
Works for me.

[Theo Peterbroers]

Last part of my contribution, I reached page 20 of google and filtered against cnet, naevius, and some more. There are rogue sites offering to uninstall naevius, I saw some crack and keygen sites. All Youtube stuff is useless at best (showing you where to click), malicious at worst (linking to rogue software).

hXXp://www.myantispyware. com/2009/01/08/flash-disinfector-free-autoruninf-trojans-removal-tool/
hXXp://usb-disk-security. com/
hXXp://www.itechdaddy. com/USB_Antivirus.aspx
hXXp://www.ehow. com/list_6657744_usb-antivirus-tools.html
hXXp://www.autorunremover. com/effective-antivirus.html (I believeI saw that one in one of the links above)
hXXp://www.usbqc. com/
hXXp://kenai. com/projects/petirojo/sources/petirojo-svn/show
hXXp://www.usb-security-protection. com/download.html
hXXp://www.mydigitallife. info/new-lg-vaccine-usb-flash-drive-with-antivirus-and-malware-protection-software/

DOUBTFUL
hXXp://www.ubergizmo. com/2010/04/u-usb-hub-with-antivirus-scanning
hXXp://www.youtube. com/watch?v=qNrs89LadtU
hXXp://www.youtube. com/watch?v=1Woiwas1OQU LEGIT?
hXXp://www.youtube. com/watch?v=WehY2YoiBKk NOT LEGIT

I did contemplate about software to be installed on the usb device. This seems to offer protection to other pc's and environments (Linux, OS/X). But it also implies some form of autorun wherever it is supposed to be active. Autorun we avoid like the plague. Any protection to other pc's and environments should therefore be static.

[DavidR]

When posting suspect urls it is best to break the link in a way so as there is no part of it displayed as an active link.

The easiest way to do that is to change http to hXXp e.g. hXXp://www.ehow.com/list_6657744_usb-antivirus-tools.html, so you just see a text format and the forum software doesn't show it as an active link.

[polonus]

Hi DavidR,

Even a combination of these methods is to be preferred I think. If I give in htxp://wXw etc. I just have to highlight everything after the htxp:// and hopla it will open up in the browser as I give in enough of the location header (sometimes I do not even need to put www there - google will assist me to go there ).
If the broken link is a combination of your adopted breaking methods and spaces in between www domain name etc, no-one can load it mistakenly in the way I described. The same goes for placing a hyphen right in fromt of an address, this can also be mistakingly be circumvented.
Somewhere we have to address this, but again and again I see newbies here that give live malware links all sorts, and some can be lively dangerous to click through, especially without ample precaution inside a browser and software that is exploitable (drive-by-downloads, incognito malcode and the like)...

polonus

[bob3160]

Damien,
You can't stop those that want to visit infected sites from getting there. (True Indian managed to do it.....  )
As long as someone can't accidently click on a live link, that should be sufficient IMHO.

[DavidR]

The main point is that it doesn't create create any part of what appears to be an active link. The URL with a space before the .com has the forum software trying to make it active. There are some browsers that will try to correct that malformed URL and the user could end up at the suspect/malicious site.

Hell avast may even do that with its SiteCorrect feature and Auto redirect enabled, assuming it works on your browser.

[Theo Peterbroers]

Then I underestimated the browsers, OMG all those things one has to take account of.  BTW, 'tis not malware I linked to.

@polonus: that was my reasoning for including a space.

[true indian]

<snip> (True Indian managed to do it.....  )

somebody remembered me 

Lah!!! I didnt even infect my system...I do testing on a VM