Slashdot Mirror
Stand-Alone Antivirus Software?
An anonymous reader writes "I work for a company that repairs specialty devices that have an embedded Mini-ATX motherboard without a CD-ROM drive and run Windows XP Home. And while the USB flash drives we insert into them have a physical write-protect tab, we still encounter a (rather annoying) display dialog from malware/viruses to remove the write-protect so the malware can infect the flash drive. We don't remove the write-protect, obviously, but would like to offer our customers the option of removing the malware/virus without having to install any software. We would rather not install/uninstall antivirus software even for one-time use, due to various licensing issues, nor do we want to connect to the Internet to use web-based online scanners. Is there any stand-alone anti-virus/anti-malware software for Windows that can be run directly from the write-protected flash drive itself?"
ClamWin, Dr. Web CureIt: etc http://thepcsecurity.com/ultimate-list-of-portable-antiviruses-for-your-usb/
the boyz and i have tried to figure out a solution to that same problem. AVG has a linux based rescue cd as well as some other guys, it could easily be adapted to a usb disk
A portable version of ClamWin may do the trick.
http://www.clamwin.com/content/view/118/89/
English is not my first language. Corrections and suggestions are welcome.
Clamav portable?
http://portableapps.com/apps/utilities/clamwin_portable
While it won't catch everything, clamav i believe can be setup on the usb drive to be used that way.
I have thumbdrive with Clamwin just for this purpose. I remove the write-protect when I need to update the virus definitions, then flip it back before inserting in a suspect PC. Works great.
What's that smell? Ah, that's my karma burning...
Just update it periodically from the internet and it's a single file AV scanner that seems to do a half-way decent job of rooting out a lot of common viruses/trojans/adware.
http://www.freedrweb.com/cureit/?lng=en
I know that U3-enabled flash drives can run AV scans directly from the flash drive. I don't know if this requires that some part of the drive be writeable. U3 drives appear as a CD-ROM plus a separate flash drive. http://en.wikipedia.org/wiki/U3
http://www.ubcd4win.com/
There are several AV products that can be slipstreamed into it, and there are instructions on installing the Ultimate Boot CD onto a thumbdrive, which is handy for keeping AV signatures up to date.
"I use a Mac because I'm just better than you are."
You could try something like F-Prot or Panda Commandline scanner, and just update the definition files on your USB drive manually from time to time.
100% of the system is read only? I assume you are using a ramdrive or something like that for tmp files and the like? I don't know shit about windows, but I don't think it's going to run without any kind of writable space.
OTOH, if you want a simple solution to this issue, and the system is read-only, I think your simplest antivirus solution is called "reboot".
Of course, you should be looking into running GNU/Linux in this babies. It certainly runs better on Atom than windows ever will.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
I work in a similar environment, and although I can't recommend a virus program, I can suggest ways to prevent it. It sounds like the company is creating an embedded device, but is not using an embedded operating system. Microsoft Windows embedded forbids writes to the C: drive when you enable EWF or FBWF. EWF gives you a memory overlay so software *can* write to C:, but if you get infected, you just reboot the machine. Alternatively, a good Micro-ATX BIOS will support making the drives read-only.
you should definitely check out portableapps.com Lots of OSS that can be ran from a thumb drive.
face the world with eyes of fire.
Instead of protecting the device proactively by using some sort of AV, application whitelist, or other device control, you want to let them keep getting infected, over and over, so your users have to keep using the USB device to remove the malware infections over and over? Brilliant.
Moderation: Put your hand inside the puppet head!
Use MBAM. I'm pretty sure you can load it onto a flash drive and have it run a full scan. It's free, and the most effective spyware/malware cleaner I've used. It doesn't take any Guff, it will kill processes, delete executables, and restart if neeeded, with your permission, of course. It will actually remove threats, rather than just telling you about them, even those new nasty ones that launch several EXE's and even services.
Discounting for a minute the questionable practices of a company that makes a specialty product that comes with XP Home of all things on it...
Your best bet is probably some kind of BartPE or WinPE based system that boots via USB.
I like "The Ultimate Boot CD for Windows"
http://www.ubcd4win.com
It might have some tools on there that you'll need to make sure don't make it onto your USB drive for licensing related reasons if you're a business, but it has good support for a wide array of hardware configs and a whole lot of really useful tools for dealing with both Virus and Spyware varieties of Malware. It also comes with a tool that'll pop it onto a USB drive with a few easy clicks.
Unless I'm totally mistaken I believe you should be able to copy a folder you have installed Spybot Seach & Destroy to over to a USB drive and run it just fine from there.
How about using the BitDefender rescue disk, (available in ISO format, but portable to a USB key) and asking the customer to reboot the PC and allow it to boot entirely from the USB key?
Licensing may be a grey area on that one though, depending on how widely you are distributing it.
One problem with using a windows application is that it may be up against a virus that is entrenched and will simply stop the cleaning from taking place. If this is the case, you need something that will activate on boot, or better yet boot on it's own (like the Bitdefender.)
There is probably a more elegant solution though, since this is a highly controlled environment. Maybe more restrictive user level controls are in order, forcing the users to log in with minimal privileges?
I've recently switched my company over to Sunbelt Systems VIPRE.
One of the triggers for this was how well this worked...
http://vipre.malwarebytes.org/
I've used Malwarebytes in many places but the standalone scanner from Vipre is pretty impressive.
We would rather not install/uninstall antivirus software even for one-time use, due to various licensing issues, nor do we want to connect to the internet to use web-based online scanners. Is there any stand-alone anti-virus/anti-malware software for Windows that can be run directly from the write-protected flash drive itself?"
There many anti-virus vendors that offer free downloadable rescue disks that you can boot from and scan your system. F-Secure, Panda, Avira, AVAST, Bitdefender come to mind. McAfee offers an executable called Stinger.exe and Microsoft’s installable Microsoft Security Essential is free.
Try any one of those programs from a reputable security software vendor, there are more than listed above.
http://www.kaspersky.com
They have a tool you can create from a working installation, it creates a boot-able CD (PE) that you can clean a system with, I found it works very well. I would imagine it could be installed on boot-able flash disk as well.
I have found it useful when you don't want to boot up a infected system.
Its is able to update virus/malware definitions if it has the necessary network driver available.
"nor do we want to connect to the internet to use web-based online scanners"
Why *not* connect to the internet - your retarded customers obviously have been...
BTW, a LART is a proven antivirus solution; the next time a customer brings in a fux0red machine, apply the LART until the screaming stops.
Try McAfee's Stinger. http://vil.nai.com/vil/stinger/ Although it is limited, it is stand alone and another tool in your arsenal to remove the nasties. I haven't used it in a while, so YMMV.
AVG has a "rescue CD" http://free.avg.com/ww-en/kb.pnuid-1267095510 it can be written on a USB flashdrive. Also SuperAntiSpyware has a protable scanner: http://www.superantispyware.com/portablescanner.html
"It is our choices, Harry, that show what we truly are, far more than our abilities." -- Prof. Dumbledore
I've had great success with SysClean from trendmicro. It's free and may be a bit unintuitive how to get the files required, but it has worked greatly for me in the past for malware that disable AVs and requires no isntallation.
from 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
to 45 2F 6E 40 3C DF 10 71 4E 41 DF AA 25 7D 31 3F
http://www.superantispyware.com/portablescanner.html I have had good luck with this. Hope you do too.
I use Combofix. It has to be able to connect to the Internet to update, though. Unless you want to constantly download the newest version onto the drive.
From what I understand the article states:
a) these devices are owned by the customer and have a hard drive with moving parts running Windows XP Home
b) the company wants to offer one-shot cleanups that they can run from a usb drive
If this is true, you definitely want to check this out: http://www.ubcd4win.com/ - this tool is designed to create bootable optical disks and also bootable USB flash drives, both to run a BartPE based Windows XP-like environment. The tool includes several virus and malware scanning utilities. It used to support Clamwin but does not currently include it, however I believe that can be added if needed. Hope that helps.
Anyway, he then Googles and send me a list. I responded, "Yes, I've Googled myself, thank you. I asked you for your opinion because I trust you and not the thousands and thousands of random opinions - many of which are outright plagiarism of other websites and if one was BSing, then thousands were BSing too."
I would also like to point out, many many web pages are the postings by folks who are paid shills.
In short: Google does not offer trusted individual opinions and most of the reviews and opinions on the web are highly suspect.
RIP America
July 4, 1776 - September 11, 2001
You can try Drweb CureIt - http://www.freedrweb.com/cureit/?lng=en
They also have live CD version - http://www.freedrweb.com/livecd/
Both are usually updated daily.
If the device has a USB port, you can just plug in a USB optical drive and use any old AV boot disk. there's no reason to restrict yourself to just thumb drives.
Nothing worthwhile ever happens before noon
But by posting here, the author garners reviews and opinions from other users, and that information takes a lot more time to track down than simply pages noting that a specific tool can be run from a bootable device.
Besides, he also provides an opportunity for the rest of us to be entertained by folks like you, and the people like me who will take the bait.
I use irony whenever I can, but my shirts are still wrinkled...
I see all the mentions of ClamAV but I have tested it and it pretty much fails at detecting everything. I used to use it all the time but I recently had a rash of family members with infected computers and ClamAV failed to detect anything at all on those machines.
To be honest the built-in Microsoft malware scanner works pretty darn good.
Do those "physical" write protect switches really physically protect it or is it just a flag for the OS to write protect it? (ie. software write protect) If it's just a software write protect then that ain't gonna do shit.
Back in the BBS days, from MacAffee, you could download SCAN.EXE and CLEAN.EXE and run them on DOS.
And - you still can!
Go to their website and find the command line scanner for win32. It claims to be a trial version, but with no install routine and being a command line program, that doesn't mean much. It uses the same .DAT files that you download for any other VirusScan program.
I get a huge chuckle when I run it, because it's exactly the same way it was in 1988 and that's the way it oughta be. all this other crap is fer lamos :-)
I don't have any write-protect drives on me right now, but I think these may have worked in the past: ComboFix, Dr.Web CureIt!, and... oh, that's it. In your search, try looking for 'portable' versions of your favorite virus scanners; that's what they usually call the kind that can run off flash drives, and some may work on write-protect ones. BTW, if you're worried about licensing, running from a locked flash drive may not clear you automatically. When you run the program, it kind of "installs" to RAM, and if it needs to perform a reboot, it may write some stuff to hard drive, not to mention the log files that may be written to HDD.
I have a USB stick with Linux & TWM. It's some variant of Debian. I have it set up with clamAV and I run FreshClam before going out for a job. I made sure I have a CD that I can boot & chroot if the hardware won't boot off of a USB HD. By running the separate OS, I don't have to worry about a rootkit hiding itself from the Windows OS. I know several people who also have XP running from flash drives & run MBAM and other software from them.
http://live.sunbeltsoftware.com/ Extract it to the USB drive then run it on the offending PC. The only issue that might arise, is that two files are coped to the C: drive before the scan starts. One to C:\Windows\ the other to C:\windows\system32\ Both are necessary for the scanner to work properly.
in some enviroments it's a godsend
every day http://en.wikipedia.org/wiki/Special:Random
http://www.f-secure.com/en_EMEA/security/tools/rescue-cd/
I've also had random luck getting this to work from a bootable USB drive that mounts the ISO as well.
>
In short: Google does not offer trusted individual opinions and most of the reviews and opinions on the web are highly suspect.
Neither do half the jokers posting here...
It's like the old saying, if you want it done right you gotta do it yourself. That goes for researching/trying out products too... Besides IMO it's the only way for stupid people to become more self sufficient in the long run.
alot of that custom software does not like lock down and some of them likes to store logs / other stuff that will get lost with that reset C: on reboot and no it's not easy to make it put that stuff on a other disk / some of it was coded for windows 9x and no they will not make it work for UAP / limited user.
Also turning off admin will not work for a lot of that software as well.
When dealing with malware, viruses, worms, backdoors, etc., there are many things they can do if they are live.
The way to shut them down for the moment is a clean boot of a clean verified uninfected source, something like a cd or usb if the hardware/bios permits, also, pull out the network plug, some malware will propagate to other machines over the network, even if you don't think you're accessing it.
Two things to look out for, some computers may seem to let you boot from those sources, but still load something off the hard drive, which can result in the malware being loaded. You have what looks like a clean boot, but isn't.
Another thing, always do that clean boot from a completely powered off state. Not sleep mode, not hibernate, and absolutely not a reboot. Some laptops do not make that an easy thing. There is a simple reason for this. The memory wipe that supposedly happens when you reboot not only isn't complete, but can be changed to do even less. In other words, there are numerous malware out there that laugh at reboots. Some of them even survive simple resets. A trick I used to do in high school, play a game, turn computer off, turn it back on in 10 seconds, put in a particular memory execution command, and resume the game exactly where it was when I shut off the computer. There aren't many malware that can duplicate that, but there are some. Rule of thumb, leave the computer unpowered for at least 30 seconds.
Does this stuff sound kind of apocalyptic? Maybe, but it's all true. Are you likely to encounter those types? If you aren't doing anti-virus (or other anti-malware) stuff a lot, it's unlikely. But yes, it does happen, and as a computer professional, you are supposed to take steps to avoid those possibilities. (Not to mention it might save you some hair.)
By the way, they really need a current and high quality antivirus with current definitions (KEEP THEM CURRENT) to reduce the re-occurrence of infections. It's kind of like doing an emergency tracheotomy on someone every couple weeks because he's allergic to flan, and yet there are reasonably effective anti-flan allergy pills out there. It's really bad karma to not insist the fool starts taking them on a regular basis. (Counseling them how to avoid it in the first place is also important, but we both know how well that works on some people.) At least if you strongly insist that they get proper protection (and keep it up to date), then you'll have done everything you reasonably can, and nobody can accuse you of unprofessionalism.
It wasn't clear from the blurb if you were doing a full clean boot, so this is just to make sure, and besides that, since you made mentions of it trying to writeback to your media, it's pretty obvious it wasn't a clean boot.
There are many anti-virus companies that offer versions of their anti-virus on bootable CD's that you can download and run for free (legally). It will take just a little bit of Google work but I know you can find ones for Avira, Bit Defender, and Kaspersky. There might be more out there but the one I use the most (I work as a PC tech cleaning out lots of viruses.) is the Avira CD. Happy virus killing!
Profanity is the language all programmers know best.
http://www.pendriveapps.com/software/portable-antispyware-malware/
http://www.clamwin.com/content/view/18/46/
And it's free!
I killed da wabbit -Elmer Fudd
Which police department is exactly responsible?
have you completely missed every reference to the lawlessness of the net?
there is no central authority to do what you so glibly suggest is the problem of the "Police"
every day http://en.wikipedia.org/wiki/Special:Random
Anyone, please tell me one antivirus and/or antimalware product, free or not, which:
- Scans all PCI cards for viruses/trojans/rootkits (VTR)
- Scans BIOS for VTR
- Scans connected/networked printers for VTR
- scans any other connected device in whichever, whatever slots
or connections with readable or writable media for VTR
The many rootkit scanners available do not, neither do any of the antivirus companies products unless I'm wrong.
The product doesn't exist! Google "PCI Rootkit" and start reading. Google "BIOS rootkit" and read further. The serious malware surviving formats and zeroing isn't on the hard drives themselves, it has formed an intimate relationship with what all scanners ignore: your other
hardware devices, internal or external. Google further into the real power/weaknessess of your network cards and learn just how exploitable they are, too.
Until we have a product with the ability to scan, disinfect, and show you exactly what is infecting your *other* hardware, the products on the market today are just virtual ticklers for the e-ballsack. It's 2010, one should not have to boot into a LiveCD and use an old text based GUI tool to dump their BIOS and do comparisons and checksum verification, when is the last time you did this for your graphics card?
Hard drives, USB drives, yes, yes, I know, but the real threats are being overlooked, your *other* hardware!
Not if you want the system to actually be secure. In order to effectively scan, you'll need up to date virus definitions. If you don't want to be on the network for an online scan, you probably won't want to be on the network to download definitions. If wouldn't matter anyhow, as you can't put them on the USB drive because you want to maintain write-protect. As such, even if you put the AV product on your system, you'd shortly be stuck with out-of-date definitions, unless you have some other writable media to put them on, which you didn't mention.
So, to summarize - you'll need to get updated definitions and put them somewhere. If you're system doesn't have (or you don't want) that, you don't have a viable solution.
That is all.
AVG Rescue CD :D
You can put it on a flash drive and it will boot up a linux kernel and scan the system. Great tool!
http://www.avg.com/us-en/avg-rescue-cd
I really think with such usage and money is being made
http://www.clamwin.com/content/view/180/105/ (donation)
and of course, same donation to clamav(.net), the "real thing" should be made.
People may think such famous projects are swimming in donations money but it is generally not the reality. There is no license confusion there either, it is free but donations accepted, whatever money you feel like. In TV business, I sometimes see ffmpeg being used in million dollar projects without a cent of donation, it really pisses me off. I bet little shops are way more ethical.
"Microsoft Security" might sound like an oxymoron, but Microsoft Security Essentials is actually pretty good, and it's free. Just install it on every device.
And as an earlier poster said, it's ludicrous to let viruses in just to clean them up later, dude. Would you do that with your girlfriend? "Oh, it's okay if I get herpes, honey, they've got great antiretrovirals these days."
It isn't very widely known but, clamav doesn't detect "spyware" by default. If you pass '--detect-pua' (potentially unwanted apps) to its arguments, it will detect them too.
Of course, in this situation, if he "fixes" the computer via removing spyware and idiot customer jumps up and down saying "his mp3 downloader is broken", it will cause some issues. That is why most antiviruses stay away from detecting spyware by default.
I would like to replace your BIOS with one that does nothing except display a picture of goatse. I don't really care if I have to replace the system BIOS or the video BIOS.
First, use a USB external CD-RW drive. Next locate a copy of "f-secure-rescue-cd-3.11-23804.iso" and burn it using another computer to a CD-R. Finally, boot the CD-R in the CD-RW drive on the Windows computer that's infected. The disk will use a simple Linux shell and start the AV tool from F-Secure. The software will visit the home site (use an Ethernet connection) and get the virus definitions that are current and will then do a full scan of the Windows hard disk.
That is a problem right there if you are wanting to boot from the infected drive THEN test.. If you can boot off the USB too, why not just boot off USB, then connect/share via SMB to a machine in your shop that has all the scanning stuff and do it from there?
---- Booth was a patriot ----
Then simply stop using that malware/virus infected, bug ridden pile of windows and go with an embedded *nix or similar- jeeze why do people use this crap, then complain when it doesn't work! time after time...
Seriously, you're willing to let your customers use the device when it's riddled with malware or whatever, but you want a simple and easy way to to clean them when you get one for service?
Why bother? If you're not interested in preventing the problem, it will come back.
And as some have recommended, you should work with the suits to either get a more appropriate and robust version of Windows to do what you do, or move to an OS that can be secured. I know this is not just a technical decision, so good luck with that.
deleting the extra space after periods so i can stay relevant, yeah.
Antivir has a command line scanner: http://www.avira.com/en/support/support_downloads.html
I don't need to test my programs.. I have an error correcting modem.
McAfee (one f). :P
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Combofix
AV software will never catch everything and just gives a false sense of security.
My suggestion would be to maintain a clean image of the OS and blow the whole image in, instead of trying to clean the machines.
Aside from anything else, I believe you have more liability if you to a bad job of something (cleaning the virus) than if you do nothing or do a clean re-install. I'd vote for the reinstall. New viruses are very stealthy and getting better all the time. I don't know of any reliable way to detect them all and you'll be miles ahead to just drop in an clean OS image on to the boot media and know it's all good.
http://www.inside-security.de/insert_en.html
It can read/write NTFS and can run CLAM AV.
I even installed it on a thumb drive with two partitions. Used from Windows, it is a data drive. Boot from it and it goes into Insert Linux Rescue.
It is pretty spartan and very small so will fit on your older thumb drives that are too small for anything else.
Why run Antivirus from an O/S that is vulnerable? F-prot has a Linux version that works well on the command line, and detects Windows viruses. Set up a Fedora boot CD/Flash disk and run the latest f-prot on it, and relax in the comfort of knowing that you are virus scanning from a position of relative security.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
As others said-- Boot A clean Linux Usb, Even some banks rec. this!
And - you still can!
As of April 1, 2010, SCAN.EXE is defunct and has been replaced by a stub file. https://kc.mcafee.com/corporate/index?page=content&id=KB68671
Sophos have a standalone scanner / remover. http://www.sophos.com/support/knowledgebase/article/13251.html
McAfee Stinger
http://vil.nai.com/vil/stinger/
I haven't seen anyone post this yet: http://trinityhome.org/
Update it prior to write protecting it, and assuming you can boot those machines from USB as well, boot them and go to town. It has saved many a friend/family machine I have been forced to support for free.
"Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway" -Andrew Tanenbaum
Try this: http://www.dataenter.co.at/doc/general_scanner_mcafee.htm
Try this: http://www.dataenter.co.at/doc/general_scanner_mcafee.htm
Outstanding.