2nd layer protection for USB drives: MCShield

General Topics
61

@ dr_Bora.
Thanks for the added information.
I appreciate the time you’ve taken to explain your program. :slight_smile: 8)

62

Thanks Bora.
I can follow the logic behind the programming decisions.

63

Hi folks,

My forum friend, Pondus, alerted me to this 2nd layer protection for usb, and I decided to install. If something is detected it alerts early in the scan sequence that the particular drive is infected, and you are advised not to interrupt. Advanced users will like to check against a FP. On the other hand the logs neatly produce a hash for what is found, but that is sometimes no garantuee for getting the actual infection info you’d like to have a verifiable indication.
The only software that is specific for USB, but has to come installed there or on the PC is called MX One Antivirus, it is a Mexican freeware and runs neatly alongside your resident av solution. I did missed the comparison of these two products in this thread. Maybe someone can comment?
Also good is when you do not travel or use peripherals, you can disable it for the time you have no need for it.
I would say, a little minus for the interfase being a bit basic, big plus for detection of infections that normally go under the detection radar, like desktop.ini etc. Use it like “an extra mirror to look into the normally blind corners”,

polonus

64

And while we’re at it, here are some more USB antivirus products.

PNY antivirus, http://www. y2000.com.tw/Engweb/pnyusbav.html (rebranded Snowy Owl antivirus)
Naevius USB Antivirus http://www. naevius.com/usb_antivirus.htm

I know for sure, that there are more USB antivirus products that I did not bookmark. Any interest in a list?

65

Naevius is also referred to from the future (Posted on 05-07-2013):
hXXp://www. bestfreeantivirus2013.net/ free-ernt-system-antivirus-2013/

They also have links to Free Usb Flash Drive Autorun Antivirus 2013 and Free Antisapetik Usb 2013 Antivirus
hXXp://www. bestfreeantivirus2013.net/ free-usb-flash-drive-autorun-antivirus-2013/
hXXp://www. bestfreeantivirus2013.net/ free-antisapetik-usb-2013-antivirus/

EDIT And some more, seems to be a lukewarm item, I might say ‘somewhat trending’ to keep up with the hipsters.
hXXp://download. cnet.com/USB-Drive-Antivirus/3000-2239_4-10841283.html
hXXp://www. usbantivirus.net/
hXXp://www. trustport.com/en/products/trustport-usb-antivirus
hXXp://www. softpedia.com/downloadTag/USB+Antivirus (GGreat is Snowy Owl, see previous post)
hXXp://thepcsecurity. com/mx-one-free-usb-portable-antivirus-for-malware-removal/
hXXp://usb-av-antivirus. en.malavida.com/
hXXp://www. hongkiat.com/blog/tools-to-protect-computer-from-infected-usb-drives/

66

Hi Kwartet!,

Thanks for the survey. Handy for those testers out here…
This thread will probably continue because protection of peripheral (flash) disks will be more and more of an issue for all of us.

[i][b] From Plug and Play and then Pray to Plug and Play in a Better and more Secure Way..[/b][/i].
The rhyme quote I made up myself...

As I look for effectiveness and I compare MX One to McShield 2.1.413 I would go for the second solution.
On an old usb stick that I scanned McShield found another issue, an autorun.inf and came to rename that.
MX One just found a lot of unknown files always and wanted to send these home for further evaluation.
So it reminded me more of a data collection tool.
The actions thereof reminded me of the RUBotted beta tool.
It sits there in the background and never alerted me to anything and the logs are still empty from the mo I installed it…
The only thing I like McShield to add really is possible user interaction before malcode is being processed,
so there is room for a second op…

polonus

67

I tried to install this program. First of all, I want to note that I could not download it from the manufacturer. After clicking on the download button I was redirected to another site that has been blocked by Bitdefender Traffic Lights extension in my Firefox as a site with malicious content. Well, I opened Google Search and found http://mx-one-antivirus.en.malavida.com/ where I downloaded not the installation file but a small program that in its turn downloaded the installation file right on my desctop. After that I started the installation process during which Avast’s Autosandbox asked me several times if I want to start every component sandboxed.

The first window asked me what I want: to install the program on a USB or on my computer. I chose the second option. Then I was asked about the installation process language and I chose Russian. During the process I was asked if I would like to install a Babylon toolbar and I had to uncheck three boxes to refuse. One of the windows asked me to choose the interface language - I had to choose English because they haven’t Russian. Strange but they could find Russian only for the installation windows. After the installation I got the program’s icon in the system tray - a simple blue square with white letters “MO”. Not very informative, I think. When I right-clicked it I saw a menu not fully translated from Spanish and with automatically checked option “Disable Real Time Protection”.

Then I was prompted that the program needs to update its database and I allowed the updating. It took less than 20 seconds to update the database. Now I tried to test the program. I don’t have an infected USB and I inserted one of my USBs just to see it in action. In two seconds I saw the result (see my screenhot 2). I clicked OK and got the suggestion to analyze the USB by full (screenshot 3). I agreed and instantly got the same result as in MO1. I clicked OK again and saw the scan results window (screenshot 4). I closed the window and saw the main window (screenshot 1) which I closed too.

My first impression is that the program is fast but the interface needs a lot of improvement and translation.


http://s55.radikal.ru/i149/1209/bc/aeac75a22d79.jpg
http://i064.radikal.ru/1209/df/480fea049b31.jpg
http://s54.radikal.ru/i143/1209/69/bb25844cf6c1.jpg
http://s019.radikal.ru/i608/1209/24/d6c52c0d84bf.jpg

68

Hi: I continue to use MCShield v.2.1.4 with no problems.
I have it set as ‘on demand’. When using USB I execute MCS before inserting device. MCS updates immediatlely and then scans the Flashdrive.
I then allow MCS to run as I work through various Flashdrives.
Works for me. :wink: :slight_smile:

69

Last part of my contribution, I reached page 20 of google and filtered against cnet, naevius, and some more. There are rogue sites offering to uninstall naevius, I saw some crack and keygen sites. All Youtube stuff is useless at best (showing you where to click), malicious at worst (linking to rogue software).

hXXp://www.myantispyware. com/2009/01/08/flash-disinfector-free-autoruninf-trojans-removal-tool/
hXXp://usb-disk-security. com/
hXXp://www.itechdaddy. com/USB_Antivirus.aspx
hXXp://www.ehow. com/list_6657744_usb-antivirus-tools.html
hXXp://www.autorunremover. com/effective-antivirus.html (I believeI saw that one in one of the links above)
hXXp://www.usbqc. com/
hXXp://kenai. com/projects/petirojo/sources/petirojo-svn/show
hXXp://www.usb-security-protection. com/download.html
hXXp://www.mydigitallife. info/new-lg-vaccine-usb-flash-drive-with-antivirus-and-malware-protection-software/

DOUBTFUL
hXXp://www.ubergizmo. com/2010/04/u-usb-hub-with-antivirus-scanning
hXXp://www.youtube. com/watch?v=qNrs89LadtU
hXXp://www.youtube. com/watch?v=1Woiwas1OQU LEGIT?
hXXp://www.youtube. com/watch?v=WehY2YoiBKk NOT LEGIT

I did contemplate about software to be installed on the usb device. This seems to offer protection to other pc’s and environments (Linux, OS/X). But it also implies some form of autorun wherever it is supposed to be active. Autorun we avoid like the plague. Any protection to other pc’s and environments should therefore be static.

70

When posting suspect urls it is best to break the link in a way so as there is no part of it displayed as an active link.

The easiest way to do that is to change http to hXXp e.g. hXXp://www.ehow.com/list_6657744_usb-antivirus-tools.html, so you just see a text format and the forum software doesn’t show it as an active link.

71

Hi DavidR,

Even a combination of these methods is to be preferred I think. If I give in htxp://wXw etc. I just have to highlight everything after the htxp:// and hopla it will open up in the browser as I give in enough of the location header (sometimes I do not even need to put www there - google will assist me to go there ).
If the broken link is a combination of your adopted breaking methods and spaces in between www domain name etc, no-one can load it mistakenly in the way I described. The same goes for placing a hyphen right in fromt of an address, this can also be mistakingly be circumvented.
Somewhere we have to address this, but again and again I see newbies here that give live malware links all sorts, and some can be lively dangerous to click through, especially without ample precaution inside a browser and software that is exploitable (drive-by-downloads, incognito malcode and the like)…

polonus

72

Damien,
You can’t stop those that want to visit infected sites from getting there. (True Indian managed to do it… :smiley: :smiley: :smiley: )
As long as someone can’t accidently click on a live link, that should be sufficient IMHO.

73

The main point is that it doesn’t create create any part of what appears to be an active link. The URL with a space before the .com has the forum software trying to make it active. There are some browsers that will try to correct that malformed URL and the user could end up at the suspect/malicious site.

Hell avast may even do that with its SiteCorrect feature and Auto redirect enabled, assuming it works on your browser.

74

Then I underestimated the browsers, OMG all those things one has to take account of. BTW, 'tis not malware I linked to.

@polonus: that was my reasoning for including a space.

75

somebody remembered me ;D

Lah!!! ;D I didnt even infect my system…I do testing on a VM :wink:

76

Guys, just wish to point out a couple things. :slight_smile:

There are bunch of USB Antivirus softwares. Some of them are good but…
Among few things, the main difference between those USB antivirus software and MCShield is:

  • USB antivirus programs mainly work at the level of definition.
    That means if your USB stick is infected by some malware, it will be blocked and removed by some USB AV only if it has his signature.

  • MCS mainly works with his heuristics.
    That means if your USB is infected by some malware, MCS will block and remove malware if using any known attack vector.

There is one more thing to know. There is no perfect softwere. ;D

77

100% correct :wink: and the real question is do I really need MCShield when Avast & Outpost Pro FW both doing their job when I inserted the USB to my PC ??? :o

78

If you have 20 folders on a USB drive any of them is worm, MCS will be disinfected each folder separately, Here’s examples of the log.
This is a beta version of V.1. ;D

10.4.2010 21:41:58 > Checking F: ( ~2 GB, FAT flash drive )…

F:\autorun.inf > Renamed.

—> Traces of file replicators have been found!

—> Running generic s&d routine…

—> Note: Win32.Brontok has been identified!

F:\pozuda\malena.exe - Worm > Deleted. (10.04.10. 21.50 malena.exe.310803)

F:\7-Zip Portable.exe - Worm > Deleted. (10.04.10. 21.50 7-Zip Portable.exe.775413)

F:\AbiWord Portable.exe - Worm > Deleted. (10.04.10. 21.50 AbiWord Portable.exe.164937)

F:\autorun.exe - Worm > Deleted. (10.04.10. 21.50 autorun.exe.370266)

F:\AM-DeadLink.exe - Worm > Deleted. (10.04.10. 21.50 AM-DeadLink.exe.512535)

F:\ArcThemALL!.exe - Worm > Deleted. (10.04.10. 21.50 ArcThemALL!.exe.882467)

F:\Audacity.exe - Worm > Deleted. (10.04.10. 21.50 Audacity.exe.211817)

F:\DCU.exe - Worm > Deleted. (10.04.10. 21.50 DCU.exe.223767)

F:\Defraggler.exe - Worm > Deleted. (10.04.10. 21.50 Defraggler.exe.220542)

F:\Directory Lister.exe - Worm > Deleted. (10.04.10. 21.50 Directory Lister.exe.26955)

F:\Double Driver.exe - Worm > Deleted. (10.04.10. 21.50 Double Driver.exe.843601)

F:\DSynchronize.exe - Worm > Deleted. (10.04.10. 21.50 DSynchronize.exe.402451)

F:\DTaskManager.exe - Worm > Deleted. (10.04.10. 21.50 DTaskManager.exe.988153)

F:\DVD Shrink.exe - Worm > Deleted. (10.04.10. 21.50 DVD Shrink.exe.231047)

F:\eMule.exe - Worm > Deleted. (10.04.10. 21.50 eMule.exe.971208-)

F:\EssentialPIM Portable.exe - Worm > Deleted. (10.04.10. 21.50 EssentialPIM Portable.exe.308648-)

F:\Extra.exe - Worm > Deleted. (10.04.10. 21.50 Extra.exe.765168-)

F:\Fast Explorer.exe - Worm > Deleted. (10.04.10. 21.50 Fast Explorer.exe.365914)

F:\Data ADMINISTRATOR.exe - Worm > Deleted. (10.04.10. 21.50 Data ADMINISTRATOR.exe.157152)

F:\7-Zip Portable\7-Zip Portable.exe - Worm > Deleted. (10.04.10. 21.50 7-Zip Portable.exe.49016)

F:\7-Zip Portable\App\App.exe - Worm > Deleted. (10.04.10. 21.51 App.exe.685574)

F:\7-Zip Portable\App\7-Zip\7-Zip.exe - Worm > Deleted. (10.04.10. 21.51 7-Zip.exe.939444)

F:\7-Zip Portable\App\7-Zip\Lang\Lang.exe - Worm > Deleted. (10.04.10. 21.52 Lang.exe.984123)

F:\7-Zip Portable\App\DefaultData\settings\settings.exe - Worm > Deleted. (10.04.10. 21.52 settings.exe.299917)

F:\7-Zip Portable\Docs\Docs.exe - Worm > Deleted. (10.04.10. 21.52 Docs.exe.606395)

F:\7-Zip Portable\Docs\Other\Help\images\images.exe - Worm > Deleted. (10.04.10. 21.52 images.exe.121514)

F:\7-Zip Portable\Docs\Other\Source\Source.exe - Worm > Deleted. (10.04.10. 21.52 Source.exe.434815)

F:\AbiWord Portable\AbiWord Portable.exe - Worm > Deleted. (10.04.10. 21.52 AbiWord Portable.exe.9760)

F:\AbiWord Portable\App\App.exe - Worm > Deleted. (10.04.10. 21.52 App.exe.951171)

F:\AbiWord Portable\App\DefaultData\settings\settings.exe - Worm > Deleted. (10.04.10. 21.52 settings.exe.579467)

F:\AbiWord Portable\Docs\Docs.exe - Worm > Deleted. (10.04.10. 21.53 Docs.exe.941481)

F:\AbiWord Portable\Docs\Other\Help\images\images.exe - Worm > Deleted. (10.04.10. 21.53 images.exe.303804)

F:\AbiWord Portable\Docs\Other\Source\Source.exe - Worm > Deleted. (10.04.10. 21.53 Source.exe.506247)

F:\AM-DeadLink\AM-DeadLink.exe - Worm > Deleted. (10.04.10. 21.53 AM-DeadLink.exe.400385)

F:\AM-DeadLink\lang\lang.exe - Worm > Deleted. (10.04.10. 21.53 lang.exe.842605)

F:\Extra\Eigenmath\Eigenmath.exe - Worm > Deleted. (10.04.10. 21.53 Eigenmath.exe.380858-)

F:\Extra\eToolz\eToolz.exe - Worm > Deleted. (10.04.10. 21.53 eToolz.exe.936342)

F:\Extra\eXpresso\eXpresso.exe - Worm > Deleted. (10.04.10. 21.53 eXpresso.exe.139397)

F:\Extra\FileTypesMan\FileTypesMan.exe - Worm > Deleted. (10.04.10. 21.53 FileTypesMan.exe.413121)

F:\Extra\HD Tune\HD Tune.exe - Worm > Deleted. (10.04.10. 21.53 HD Tune.exe.755064)

F:\Extra\HotKeyz\HotKeyz.exe - Worm > Deleted. (10.04.10. 21.53 HotKeyz.exe.259995)

F:\Extra\HxD\HxD.exe - Worm > Deleted. (10.04.10. 21.53 HxD.exe.853525)

F:\Extra\KiTTY\KiTTY.exe - Worm > Deleted. (10.04.10. 21.53 KiTTY.exe.286650)

F:\Extra\md5hash\md5hash.exe - Worm > Deleted. (10.04.10. 21.53 md5hash.exe.545199)

F:\Extra\MyUninstaller\MyUninstaller.exe - Worm > Deleted. (10.04.10. 21.53 MyUninstaller.exe.38059)

F:\Extra\NetSetMan\NetSetMan.exe - Worm > Deleted. (10.04.10. 21.53 NetSetMan.exe.146698-)

F:\Extra\NetWorx\NetWorx.exe - Worm > Deleted. (10.04.10. 21.53 NetWorx.exe.706599)

F:\Extra\RegASSASSIN\RegASSASSIN.exe - Worm > Deleted. (10.04.10. 21.53 RegASSASSIN.exe.593608-)

F:\Extra\RegFromApp\RegFromApp.exe - Worm > Deleted. (10.04.10. 21.53 RegFromApp.exe.991573)

F:\Extra\Registry Tweaker\Registry Tweaker.exe - Worm > Deleted. (10.04.10. 21.53 Registry Tweaker.exe.739955)

F:\Extra\RegScanner\RegScanner.exe - Worm > Deleted. (10.04.10. 21.53 RegScanner.exe.508190)

F:\Extra\Regshot\Regshot.exe - Worm > Deleted. (10.04.10. 21.53 Regshot.exe.149955)

F:\Extra\ShellExView\ShellExView.exe - Worm > Deleted. (10.04.10. 21.53 ShellExView.exe.61148-)

F:\Extra\ShellMenuView\ShellMenuView.exe - Worm > Deleted. (10.04.10. 21.53 ShellMenuView.exe.698541)

F:\Extra\SQLiteSpy\SQLiteSpy.exe - Worm > Deleted. (10.04.10. 21.53 SQLiteSpy.exe.494020)

F:\Extra\Unlocker Portable\App\Unlocker\Unlocker.exe - Worm > Deleted. (10.04.10. 21.53 Unlocker.exe.963310)

F:\Extra\USBDeview\USBDeview.exe - Worm > Deleted. (10.04.10. 21.53 USBDeview.exe.588064)

F:\Extra\VirtuaWin\VirtuaWin.exe - Worm > Deleted. (10.04.10. 21.53 VirtuaWin.exe.816264)

F:\Extra\Volumouse\Volumouse.exe - Worm > Deleted. (10.04.10. 21.53 Volumouse.exe.824672)

F:\Extra\WinIPS\WinIPS.exe - Worm > Deleted. (10.04.10. 21.53 WinIPS.exe.667293)

F:\pozuda

F:\pozuda - Worm.Traces > Deleted. (10.04.10. 21.57 pozuda.449012)

F:\pozuda.exe - Worm.Sus > Renamed.

Restoring defaults: F:\7-Zip Portable

Restoring defaults: F:\AbiWord Portable

Restoring defaults: F:\AM-DeadLink

Restoring defaults: F:\ArcThemALL!

Restoring defaults: F:\Audacity

Restoring defaults: F:\DCU

Restoring defaults: F:\Defraggler

Restoring defaults: F:\Directory Lister

Restoring defaults: F:\Double Driver

Restoring defaults: F:\DSynchronize

Restoring defaults: F:\DTaskManager

Restoring defaults: F:\DVD Shrink

Restoring defaults: F:\eMule

Restoring defaults: F:\EssentialPIM Portable

Restoring defaults: F:\Extra

Restoring defaults: F:\Fast Explorer

The message exceeds the maximum allowed length (10000 characters).

Not all the care in the post ;D

79

I had a problem to-day with McShield 2, start-up on Vista failed and a repair to" last good start up" removed just McShield 2. The I also checked SpywareBlaster and saw I had to restore protection in SpywareBlaster for some IE protection items. Why this happened? Two Skype plug-in that I uninstalled were back installed in IE after that repair routine. I disabled them again, restored full protection and re-installed McShield 2. I think Skype is behaving rather aggressive. I will see what will happen next,

polonus

80

I have MCShield on my computer

it renamed a file called explorer.exe on my memory stick to explorer.exe.vir

it said it was suspisous however it was a problem that i renamed to explorer.exe ::slight_smile: