Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Regarding MBAM, SAS and other anti-malware programs to disinfect USB Drives?


  • Please log in to reply
3 replies to this topic

#1 SledgeVan

SledgeVan

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 29 April 2010 - 02:44 PM

Hi, I have some questions regarding flashdrives and USB drives infections.

First, I looked through this forum and most use Anti-virus/malware programs like Malwarebytes and Superantispyware to get rid of infections residing internal hard drives and windows registry in particular. However, are these programs capable of disinfecting external drives such as Flash Drives, USB hard disks, DVD-R the way they disinfect internal hard drives? I recently had my USB hard disk infected, AVG free 9.0 detected and quarantined them, but somehow I dont think they are gone (maybe paranoid?).

Secondly I heard that USB drives use autorun stuff to infect a clean PC the moment it was plugged in. How to I prevent such infection from external drives without using stuff like Panda USB Vancines (I do not understand its usage). I do use MBAM, SAS and AVG Free 9.0.

Pls forgive if I sound stupid, and thanks for any insight provided! :thumbsup:

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:07 AM

Posted 29 April 2010 - 09:16 PM

External storage media and flash (usb, pen, thumb, jump) drives are prone to infections which involve malware that modifies/loads an autorun.inf (text-based configuration) file into the root folder of all drives (internal, external, removable) along with a malicious executable. When removable media such as a CD/DVD is inserted (mounted), autorun looks for autorun.inf and automatically executes the malicious file to run silently on your computer. For flash drives and other USB storage, autorun.ini uses the Windows Explorer's right-click context menu so that the standard "Open" or "Explore" command starts the file. Malware modifies the context menu (adds a new default command) and redirects to executing the malicious file if the "Open" command is used or double-clicking on the drive icon. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled. Keep in mind that autorun.inf can also be a legitimate file which other legitimate programs depend on so the presence of that file may not always be an indication of infection.

Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:Many security experts recommend you disable Autorun asap as a method of prevention. Microsoft recommends doing the same.

...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...

Microsoft Security Advisory (967940): Update for Windows Autorun

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful. Disabling autorun/autoplay does not prevent you from accessing your media sources. They are still available by opening My Computer and accessing the source drive (CD, DVD, USB or external hard drive). Pictures on a camera can still be accessed through My Pictures and selecting "Get Pictures" from a scanner or camera. Media can be accessed via the program you normally use it with such as music CDs via Media Player, blank CDs via burning software, image handling software provided with the camera. I strongly recommend you leave the autorun feature disabled and get into the habit of accessing your media devices manually.

An easy way to disable Autorun on a specific drive is to download and use Microsoft Power Toy Tweak UI and then follow these instructions

If using Windows XP Pro you can also use the Group Policy Editor to disable the autorun for USB & CD-ROM devices. To do this, please refer to:If using Windows Vista, please refer to:If using Windows 7, please refer to:Note: For steps that require registry changes, always back up your registry before making any changes

However, disabling AutoRun is not enough. See Scott Dunn's One quick trick prevents AutoRun attacks. For most novice users, the easiest way to inoculate a USB flash drive is to create a Read-only folder on the drive and name it autorun.inf. This folder will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and executing malicious files as described in How to Maximize the Malware Protection of Your Removable Drives.

You can download and use Autorun Eater or Autorun USB Virus Finder which will allow removal of any suspicious 'autorun.inf' files they find.

Panda USB Vaccine allows for computer and usb vaccination.
  • Computer Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not.
  • USB Vaccination disables the autorun file so it cannot be read, modified or replaced and creates an AUTORUN_.INF as protection against malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.
Another option for XP users is Flash_Disinfector by sUBs. Please read About Flash Disinfector by Papakid and USB/Flash Drive Safety by TheJoker.

Finally, always scan USB flash drives and any external storage media after they have been used in other computer systems, even your own. An easy way to do this is to download "ClamWin Portable Antivirus", put it on your USB Flash Drive, update its definition files and perform a scan.

Other scanning tools:
  • Malwarebytes Anti-Malware. For usb flash drives and/or other removable drives, perform a Full scan. The option for a Flash Scan will analyze memory and autorun objects but that option is only available to licensed users in the paid version.
  • Norman Malware Cleaner. Be sure to print out the instructions provided on the same page. For usb flash drives and/or other removable drives to scan, use the Add button to browse to the drives location, click on the drive to highlight and choose Ok.
  • Dr.Web CureIt. Choose Custom Scan after the Express Scan has finished to add your usb drive to the scan.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 SledgeVan

SledgeVan
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 30 April 2010 - 05:31 AM

Thanks Quietman7, it has been very informative, though some parts are harder to digest for a novice for me.

Im also concerned about the "curing" section, apart from the "preventive" section you mentioned above

Consider my recent scenario:

If I've been attacked by an infection from USB drive (ie. AVG Free's Resident Shield alert me about 3 trojan infections, then quarantined them), can I safely assume that AVG got rid of them, or the infection is still lingering in the USB drive or the C Drive? Whats the best course of action after falling prey to such infections? Should I format my USB drive, then scan my C Drive to ensure the malware did not infect my computer as well? The computer appears to be functioning as normal though.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:07 AM

Posted 30 April 2010 - 06:55 AM

When an anti-virus or security program quarantines a file by renaming and moving it into a virus vault (chest) or a dedicated quarantine folder, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat until you take action to delete it. One reason for doing this is to prevent deletion of a crucial file that may have been flagged as a "false positive" especially if the scanner uses heuristic analysis technology. Heuristics is the ability of a scanning program to detect possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as suspicious or infected. If that is the case, then you can restore the file and add it to the exclusion or ignore list. Doing this also allows you to view and investigate the files while keeping them from harming your computer. Quarantine is just an added safety measure. When the quarantined file is known to be malicious, you can delete it at any time.

Whats the best course of action after falling prey to such infections? Should I format my USB drive, then scan my C Drive to ensure the malware did not infect my computer as well?

Depends on the infection as some are more difficult to remove than others. Formatting is always an option as that removes everything. As I said previously, regulary scan USB flash drives and any external storage media, especially after they have been used in other computer systems. Whenever you discover an infection on your flash drive, you should always scan your hard drive to ensure it has not transferred the infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users