Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stand-Alone Antivirus Software?

Posted by timothy on from the lonely-job dept.

An anonymous reader writes "I work for a company that repairs specialty devices that have an embedded Mini-ATX motherboard without a CD-ROM drive and run Windows XP Home. And while the USB flash drives we insert into them have a physical write-protect tab, we still encounter a (rather annoying) display dialog from malware/viruses to remove the write-protect so the malware can infect the flash drive. We don't remove the write-protect, obviously, but would like to offer our customers the option of removing the malware/virus without having to install any software. We would rather not install/uninstall antivirus software even for one-time use, due to various licensing issues, nor do we want to connect to the Internet to use web-based online scanners. Is there any stand-alone anti-virus/anti-malware software for Windows that can be run directly from the write-protected flash drive itself?"

32 of 159 comments (clear)

  1. Plenty by Anonymous Coward · · Score: 5, Informative

    ClamWin, Dr. Web CureIt: etc http://thepcsecurity.com/ultimate-list-of-portable-antiviruses-for-your-usb/

    1. Re:Plenty by The+MAZZTer · · Score: 4, Informative

      ClamWin Portable from http://portableapps.com/

    2. Re:Plenty by SausageOfDoom · · Score: 3, Interesting

      But isn't there a risk with this whole USB-virus-scanner thing that if a computer is infected, you can't be sure that your scanner is being read and executed correctly? If the OS you're scanning is infected, the malware could be monitoring for clamwin.exe etc and running its own version, or intercepting the important IO calls. I know if I was writing a virus and wanted to take control of as many computers as possible, one of the first things I'd do would be to make it look like my virus wasn't there.

      Surely the only way to really scan a computer is by booting into a guaranteed-clean OS? And even then, isn't there a risk that firmware could be compromised? Or am I just being way too paranoid?

    3. Re:Plenty by RDW · · Score: 2, Informative

      'Surely the only way to really scan a computer is by booting into a guaranteed-clean OS?'

      Yes, and there are a bunch of different, generally Linux-based, bootable CDs that do exactly this. Several of the major antivirus companies make these available, and I tried about half a dozen last year. Not all of them worked well (out of date, or ran slowly, or found too many false positives and deleted them without asking!), but I was happy with the Avira Rescue System:

      http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html

      One nice thing about this one is that they update the image 'several times a day' so you don't have to rely on the target system being networked to do an up to date scan (though a net update option is available if you can use it). Hardware support could be more complete (I had to revert to a VGA connection on one system) but otherwise no problems. I haven't tried running this from a flash drive, but there's a guide here:

      http://forum.avira.com/wbb/index.php?page=Thread&threadID=94935

  2. ClamWin by vbraga · · Score: 4, Insightful

    A portable version of ClamWin may do the trick.

    http://www.clamwin.com/content/view/118/89/

    --
    English is not my first language. Corrections and suggestions are welcome.
    1. Re:ClamWin by Anonymous Coward · · Score: 3, Informative

      Yes it does, but you have to turn on the removal feature first (defaults to report-only). SuperAntiSpyware and MalwareBytes also have portable versions (I think MalwareBytes' portable version may be an unsupported mod, though.)

    2. Re:ClamWin by aiht · · Score: 2, Informative

      Plus, if your flash drive is write-protected, then how can you update to the latest definitions?

      Turn off the write-protect?
      You only need it on when you connect it to a possibly-infected customer computer.

  3. Clamwin by Kissing+Crimson · · Score: 2, Interesting

    I have thumbdrive with Clamwin just for this purpose. I remove the write-protect when I need to update the virus definitions, then flip it back before inserting in a suspect PC. Works great.

    --
    What's that smell? Ah, that's my karma burning...
  4. UBCD by 0racle · · Score: 5, Informative

    http://www.ubcd4win.com/

    There are several AV products that can be slipstreamed into it, and there are instructions on installing the Ultimate Boot CD onto a thumbdrive, which is handy for keeping AV signatures up to date.

    --
    "I use a Mac because I'm just better than you are."
    1. Re:UBCD by Anonymous Coward · · Score: 2, Funny

      12 people in a row suggested ClamWINAV... I think /. will survive 2 UBCD recommendations...

  5. One option might be... by coerciblegerm · · Score: 2, Informative

    You could try something like F-Prot or Panda Commandline scanner, and just update the definition files on your USB drive manually from time to time.

  6. Use Windows Embdded, not XP Home by MobyDisk · · Score: 5, Insightful

    I work in a similar environment, and although I can't recommend a virus program, I can suggest ways to prevent it. It sounds like the company is creating an embedded device, but is not using an embedded operating system. Microsoft Windows embedded forbids writes to the C: drive when you enable EWF or FBWF. EWF gives you a memory overlay so software *can* write to C:, but if you get infected, you just reboot the machine. Alternatively, a good Micro-ATX BIOS will support making the drives read-only.

    1. Re:Use Windows Embdded, not XP Home by crakbone · · Score: 2, Informative

      google steadystate from microsoft

    2. Re:Use Windows Embdded, not XP Home by Ramze · · Score: 3, Informative

      I've found the "Shared Computer Toolkit for Windows XP" can be very helpful at locking down exactly what can be changed on an XP build... including allowing changes, but wiping them after a reboot.
      http://www.microsoft.com/presspass/newsroom/winxp/SharedToolkitFS.mspx
      It's now called "Windows SteadyState 2.5"
      http://www.microsoft.com/downloads/details.aspx?familyid=d077a52d-93e9-4b02-bd95-9d770ccdb431&displaylang=en

    3. Re:Use Windows Embdded, not XP Home by saverio911 · · Score: 2, Informative

      I use EWF (which stands for Enhanced Write Filters) on my XP machine in my car. It works very well up to the point where the tempory space when the cached disk writes overrun the memory buffer. It has only happened once when I forgot to turn off EWF to install something. The directions I used are located on MP3Car.com. (http://www.mp3car.com/vbulletin/winnt-based/38484-new-ewf-minlogon-cf-instructions.html)

  7. So let me get this straight... by Marx_Mrvelous · · Score: 2, Interesting

    Instead of protecting the device proactively by using some sort of AV, application whitelist, or other device control, you want to let them keep getting infected, over and over, so your users have to keep using the USB device to remove the malware infections over and over? Brilliant.

    --

    Moderation: Put your hand inside the puppet head!
    1. Re:So let me get this straight... by Anonymous Coward · · Score: 2, Informative

      There's a difference between Service Provider and Solution Provider

    2. Re:So let me get this straight... by BitZtream · · Score: 2, Funny

      It is brilliant if your just a service tech thats paid to 'fix the machine' and can't actually do anything to 'fix the machine'

      As an example: Windows XP used for photo printing boths are various 1 hour photo places. They Joe the plumber plugin a flash device and print his pictures.

      They are made by SomeBigCompany, but the phamacy down the street has one and needs it repaid, so JohnTheRepairMan comes to fix it. Can't fix the fact that it loads the autorun on flash devices even though its not supposed to because SomeBigCompany says no, and if he does it anyway, SomeBigCompany not continue to consider him an 'authorized repair man'.

      John however is allowed to say 'its got a virus, reimage or repair'.

      John just wants a way to speed up his 'reimage/repair' calls since he isn't actually allowed to do something to fix the problem.

      John wins twice. A) He spends less time on a call that he gets paid a fixed price for anyway, so more profit and more importantly B) because SomeBigCompany doesn't care about the wasted cash, John gets to continue making a living.

      John doesn't want it fixed. Its not his fault. He's not allowed to fix it. He is in the position to be the customers hero and have the customer thank him while he takes money from them for something he could actually make not happen again.

      From Johns perspective ... it is brilliant, and he's not even doing anything mildly wrong or immoral.

      Sometimes your perspective on the problems you see here on slashdot is ... incomplete at best.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    3. Re:So let me get this straight... by tinkerghost · · Score: 3, Interesting

      Don't ever underestimate the stupidity of customers.

      Techs doing residential work live on it. Face it, nothing involved in doing a virus removal is rocket science. I had a customer who used to call me every other month to clean up their son's computer. Now the son's at college and it's someone else's goldmine.

  8. Re:clamav by toastar · · Score: 2, Insightful

    While it won't catch everything, clamav i believe can be setup on the usb drive to be used that way.

    Nothing will catch everything, The second you write it to disk your virus definitions will be out of date.

  9. Bitdefender is a darn good product by jeffmeden · · Score: 2, Informative

    How about using the BitDefender rescue disk, (available in ISO format, but portable to a USB key) and asking the customer to reboot the PC and allow it to boot entirely from the USB key?

    Licensing may be a grey area on that one though, depending on how widely you are distributing it.

    One problem with using a windows application is that it may be up against a virus that is entrenched and will simply stop the cleaning from taking place. If this is the case, you need something that will activate on boot, or better yet boot on it's own (like the Bitdefender.)

    There is probably a more elegant solution though, since this is a highly controlled environment. Maybe more restrictive user level controls are in order, forcing the users to log in with minimal privileges?

  10. AVG and SuperAntiSpyware by at_slashdot · · Score: 2, Informative

    AVG has a "rescue CD" http://free.avg.com/ww-en/kb.pnuid-1267095510 it can be written on a USB flashdrive. Also SuperAntiSpyware has a protable scanner: http://www.superantispyware.com/portablescanner.html

    --
    "It is our choices, Harry, that show what we truly are, far more than our abilities." -- Prof. Dumbledore
  11. SUPERAntiSpyware Portable by DodgeRules · · Score: 3, Informative

    http://www.superantispyware.com/portablescanner.html I have had good luck with this. Hope you do too.

    1. Re:SUPERAntiSpyware Portable by Pharmboy · · Score: 2, Funny

      I see Antivirus 2010 on half the computers I come across, it must be a good product since everyone has it! ;)

      --
      Tequila: It's not just for breakfast anymore!
  12. Re:Your post doesn't make sense. by Fwipp · · Score: 2, Funny

    TFS says that they come preinstalled with the variant colloquially known as Windows XP Home.

  13. Yes! The old school SCAN.EXE and CLEAN.EXE by Saint+Stephen · · Score: 5, Informative

    Back in the BBS days, from MacAffee, you could download SCAN.EXE and CLEAN.EXE and run them on DOS.

    And - you still can!

    Go to their website and find the command line scanner for win32. It claims to be a trial version, but with no install routine and being a command line program, that doesn't mean much. It uses the same .DAT files that you download for any other VirusScan program.

    I get a huge chuckle when I run it, because it's exactly the same way it was in 1988 and that's the way it oughta be. all this other crap is fer lamos :-)

  14. Re:clamav by csrjjsmp · · Score: 4, Informative

    Other programs will catch 98-99%. Clamwin is lucky to catch 30.

  15. Re:clamav by profplump · · Score: 2, Insightful

    99% of what? The viruses they have definitions for? There's not a product on the market that catches 99% of all viruses.

    You might make a comparison of the number of entries in their definitions library, or the different techniques each has available to match the various types of obfuscation in use, but a claim of catching 99% is both meaningless and unsupportable.

  16. and spyware detected/removed this way by Ilgaz · · Score: 2, Informative

    It isn't very widely known but, clamav doesn't detect "spyware" by default. If you pass '--detect-pua' (potentially unwanted apps) to its arguments, it will detect them too.

    Of course, in this situation, if he "fixes" the computer via removing spyware and idiot customer jumps up and down saying "his mp3 downloader is broken", it will cause some issues. That is why most antiviruses stay away from detecting spyware by default.

  17. Re:You need a bigger gun. by b4dc0d3r · · Score: 3, Insightful

    It's a good suggestion, but these are likely random users bringing in an out of warranty computer. They ideally should be keeping their own clean images, but they didn't, and they don't want to lose their stuff. Scan and clean is the way to go here, not reimage.

  18. F-Prot by mcrbids · · Score: 2, Interesting

    Why run Antivirus from an O/S that is vulnerable? F-prot has a Linux version that works well on the command line, and detects Windows viruses. Set up a Fedora boot CD/Flash disk and run the latest f-prot on it, and relax in the comfort of knowing that you are virus scanning from a position of relative security.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  19. Stinger by jdimpson · · Score: 2, Informative

    McAfee Stinger

    http://vil.nai.com/vil/stinger/