2nd layer protection for USB drives: MCShield

[ky331]

For Dr. Bora,

I just tested your program.

As soon as the program opened and started to run --- before I could adjust any of its settings --- it found and deleted two files from my Lenovo RECOVERY PARTITION (Hard Drive):

11/24/2012 8:41:27 PM > Drive Q: - scan started (Lenovo_Recovery ~14 GB, NTFS HDD )...

>>> Q:\autorun.inf > Suspicious > Renamed.

>>> Q:\autorun.inf.vir - Malware > Deleted. (12.11.24. 20.41 autorun.inf.vir.372601; MD5: 492cf5b9300a6105893b8dd40031a141)

>>> Q:\LenovoQDrive.exe - Malware > Deleted. (12.11.24. 20.41 LenovoQDrive.exe.289741; MD5: 84d2d80e141e3e79aa0725e293ec83dc)


=> Malicious files   : 2/2 deleted.

==========================

I was taken aback --- especially when I looked into the program's quarantine area, and it "appeared" empty.   Fortunately, despite anxiety, I didn't completely panic.   I was able to locate the actual quarantine folder (in Windows Explorer and/or via the Command Prompt) and determined the files WERE present --- as HIDDEN+SYSTEM files.   By removing the hidden+system attributes, I was then able to "see" these files under McShield's Quarantine tab, and so was finally able to RESTORE them [hopefully correctly] to the Lenovo Q:\ Recovery Drive.

I would NOT want anyone else to experience this!

Question:   Does McShield maintain the file attributes as they were in the original location?   That is to say, should I make these two files HIDDEN+SYSTEM on my Q: drive after having restored them?

[dr_Bora]

1. The files are whitelisted, detection should not occur again.

2. The items not showing in quarantine despite being there: obviously, a bug that needs to be fixed.

3. The files were hidden, you can hide them again if you wish.

I hope you understand the data in your recovery partition was not damaged in any way (infact, that's not even a recovery partition, it's a backup partition). The program LenovoQDrive.exe is used to create recovery media and to delete the contents of that partition ("Lenovo has provided a copy of the original factory preloaded software in this partition. For convenience, this utility allows you to recover this space once you have made a copy of this software to DVD. We strongly recommend that you make a copy using the Create recovery media utility in the Windows start menu or by selecting the option below..." - so, if you have a recovery DVD, you can delete everything on that partition and free HDD space.).

[ky331]

Dr. Bora,

Thank you for your prompt reply.

The opening sentence of your program's documentation states: 
http://amf.mycity.rs/mcshield/Doc/MCShield_Help_EN.pdf
"MCShield is an antimalware tool designed to prevent infections transmitted via removable drives (USB flash drives, memory cards..., external hard drives)".   Granted, later on (page 3) it notes the option to "enable initial scan of all hard drives" --- without explicitly stating whether these are only the external ones, as cited above, or the internal ones as well... apparently, based on my experience, the latter case is what occurs.   Since this option was pre-checked, the internal hard drives are scanned immediately, as soon as the program runs for the first time.

My interest in testing MCShield was for its removable drive protection (to supplement an anti-virus program).   I assume that's the case for most people trying it.  So my first question is whether MCShield should even be considering internal hard drives at all?    And secondly, why is the hard-drive option pre-selected by default [on the initial run of the program]?  I can imagine a less-experienced user panicking when s/he sees some files "deleted" from their main hard drive... and in a worst-case scenario, finding out their system doesn't boot-up again. 

Isn't renaming of the suspicious/malware files [in-place, on their drives] sufficient to stop the malware from executing as intended?   Is it really necessary to also quarantine it?   Perhaps you might consider having your program distinguish between internal drives and removable drives, limiting the impact on internal drives solely to renaming???

1. "The files are whitelisted, detection should not occur again".   Thank you!   I had also added them to MY whitelist tab --- before seeing this response.   (I doubt "double-whitelisting" can hurt anything.)

2. "The items not showing in quarantine despite being there: obviously, a bug that needs to be fixed".  I would consider this a very significant "bug"... I'm surprised that no one else (??) had reported it previously.  By the way, the same thing [no files appearing under the quarantine tab] happened on another system (Dell PC, USB drive).   This can be very scary to just about any user, no matter how experienced they might be.

3. "the data in your recovery partition was not damaged in any way... "  Thank you very much for this reassurance.

[bob3160]

The first rule should always be "Do no Harm". I haven't found that to be the case and,

for that reason decided to opt out.
I'll wait till this program has become more mature and reliable.

[magna86]

@bob
Already has been discussed & explained that MCS is a very good & quality tool but has never said that MCS was perfect. Does perfect sotwere exist?
FP unfortunately must happen sometimes but with purpose for future better detection. FP are mainly related for just autorun.inf (...if it comes to FP)
This is the main reason why MCS renames suspicious autoruns to prevent the execution of malicious malware.
If you are able you to make a better tool than MCS is, than be assured that I will use your tool, and recommend to others. 

Let's forget MCS for a moment. Every better leading protection software once in his life (or more than once ) they have so heavy FP that some of tham leads to system crash.
Does this mean that such FP detection will not occur anymore? Does this mean that they are all products of bad?
No and No.
Most of them are still the best software for malware protections...

MCS has been active for just about ~ two years. Developers don't earn by developing MCS nor they have some kind of income. They all working on voluntary basis, and they using they free time do develop MCS.
Another important fact is that the authors of MCS program are malware removal experts who have been in this "business" long before me.
From this facts, authors know how malware works, and how best to prevent the same from execution.

From what I written above ...  if you're not willing to "help" in developing, than at least you can do is to admit they hard work.
Not just belittling some hard work.

Please, don't get me wrong, and don't take my post to critical but I had to answer you. 
If you dont like it, just dont use it. 

Best regards bob,
magna

[bob3160]

I didn't belittle simply listed my reasons for no longer using the product.
I praise things I like not things that give me problems.

[Lisandro]

The first rule should always be "Do no Harm".

Dr. Bora, I feel the same. User must be warned (at least it should have a setting for that).
Automatically quarantine and false positives is a bad user experience...

[Lisandro]

Since this option was pre-checked, the internal hard drives are scanned immediately, as soon as the program runs for the first time.

Hmmm... Maybe it should detect if it is a fixed drive or a removable one and not by the letter only...

[iroc9555]

My interest in testing MCShield was for its removable drive protection (to supplement an anti-virus program).   I assume that's the case for most people trying it.  So my first question is whether MCShield should even be considering internal hard drives at all?    And secondly, why is the hard-drive option pre-selected by default [on the initial run of the program]?  I can imagine a less-experienced user panicking when s/he sees some files "deleted" from their main hard drive... and in a worst-case scenario, finding out their system doesn't boot-up again. 

+1

Dr. Bora, I feel the same. User must be warned (at least it should have a setting for that).
Automatically quarantine and false positives is a bad user experience...

+1 too Feel the same. MCShield needs some kind of alert before automatically rename/quarentine anything.

[dr_Bora]

Regarding the hard drives treatment... There is no way for me to know if a drive is indeed internal fixed drive or external / removable (in some way) hard drive.
A HDD can be assembled inside the PC case and tighten with screws. The same drive can be in some kind of a HDD rack. The same drive can be connected via some kind of cable/adapter. You can also have a HDD that connects only via USB. All these are considered to be hard disk drives and Windows treats them in the same way; so does MCS.

So, I can choose between scanning hard drives or not scanning hard drives. Why was the first option chosen?
Let's take the example of ky331's hard drive: in this case, the program made a FP. Sure, that's bad. The program sucks. Right?

Now, let's say that ky331 took that hard drive and connected it to his neighbour's PC to transfer some files. Let's also say that the other guy's PC in infected with Win32.Sality file infector. This does not necessarily mean that ky331's files are infected, but what it does mean is that the virus has placed his dropper (a worm component) to the root of the hard drive's partitions.

The hard drive is reconnected back to the originating PC and the PC is turned on. MCS starts the initial scan and removes the malware dropper and prevents infection with Sality. Is this still bad? Does the program still suck?

What I'm trying to say is that there's a good reason why MCS performs a quick scan of the root of the HDD partitions.

The initial scan is performed every time the program is started; that's why the scan happens directly after installation. What I could do here is to make the setup ask the user whether to perform the scan immediately or not (if it's considered desirable). Can't really think of anything else I could change regarding this (HDD scan could be unchecked by default, but this doesn't sound like a good idea).



As I explained on previous pages, there's no time to ask about some things, they simply need to be done immediately and implementing any kind of "ask the user" option is not that easy. I do have an idea of an approach that could be of interest to advanced users, but it's still in the "thinking about it" phase so I don't want to make any promises (when I have a working build I'll let you test it and give opinions whether that's what you want before full implementation (GUI changes, translations, etc.)).

[Pondus]

I didn't belittle simply listed my reasons for no longer using the product.
I praise things I like not things that give me problems.

well....there are some that have problems with avast also...
and i remeber a big FP case that turned this forum upside down and inside out for a week or so



magna86

Another important fact is that the authors of MCS program are malware removal experts who have been in this "business" long before me.
From this facts, authors know how malware works, and how best to prevent the same from execution.

+1 ..... yepp, thats why it is best to leave this to those who know this stuff best

[Lisandro]

there's no time to ask about some things, they simply need to be done immediately and implementing any kind of "ask the user" option is not that easy.

Well, I think we're talking about drivers and a service... aren't we?
The automatic send to quarantine could be configured in an antivirus this way, blocking/freezing the actions of the file. Would be this a conflict with running antivirus and MCShield?

At least, if a file is moved, the user cannot have the possibility of NOT seeing the alert window/report. Right now, the user could disable this and won't even know that MCShield have moved a file...

[Pondus]

Right now, the user could disable this and won't even know that MCShield have moved a file...

there is a log   

all programs > MCShield > log

[ky331]

Dr. Bora,

I hope you're not taking my comments... and what I intended as suggestions... the wrong way.   I never said your program "sucked" (to use the word you invoked in your recent reply).   I understand FP's are a part of anti-virus / anti-malware "life", especially when it comes to heuristic detections, and that this will never change.   I accept that.

Indeed, I am still keeping and continuing to test your program on 3 systems.   If I didn't believe in its potential/value, I would have immediately removed it from them all.

I offered a suggestion about distinguishing between internal and external hard drives... and you've explained that this is not feasible.

I questioned whether detections on hard drives should be pre-selected by default... or even at all... and you've offered your expert analysis as to why this should be the case.

But there was a third suggestion that I don't believe you've responded to yet... and so I would like to ask again:   Isn't renaming of the suspicious/malware files [in-place, on their drives] sufficient to stop the malware from executing as intended?   Is it really necessary to also quarantine it?   I am now asking this question in general, be it for hard drives (internal or external) or for any other removable media such as USBs?   Unless your contention is that renaming is insufficient to stop the malware's action, I believe renaming would be more transparent to users, and easier for them to "fix" in the event of a F/P.   

If nothing else, I believe my reporting the "hiding" of files from your quarantine --- which you acknowledged as a "bug" --- is an important, concrete improvement that I expect you will be implementing at your earliest convenience.

[Lisandro]

Right now, the user could disable this and won't even know that MCShield have moved a file...

there is a log   

all programs > MCShield > log

Log? Will an user look for a log? It should be a visible warning...