6 Replies Latest reply on Nov 15, 2014 11:55 AM by susja

    How to perform a full scan of usb flash drive

    susja

      Hello,

      We have a standalone PC which is not connected to network. It has McAfee VSE installed. We will update DAT manually.

      The goal for this isolated PC is to scan USB thumb drive only.

      Could someone please point me how I could configure VSE 8.7i in order to perform full scan of thumb drive? We don't want that it'll be scanned when user read/write from the drive because it will not be allowed for user to do this. The only objective is to perform full scan of flash drive.

      If you could suggest command line option it would work for us as well.

      Again the goal is solely to scan thumb drive ..

       

      Thanks in advance

        • 1. Re: How to perform a full scan of usb flash drive
          rmetzger

          susja wrote:

           

          We have a standalone PC which is not connected to network.

           

          It has McAfee VSE installed. We will update DAT manually.

           

          The goal for this isolated PC is to scan USB thumb drive only.

           

          Could someone please point me how I could configure VSE 8.7i in order to perform full scan of thumb drive?

           

          We don't want that it'll be scanned when user read/write from the drive because it will not be allowed for user to do this.

          The only objective is to perform full scan of flash drive.

           

          If you could suggest command line option it would work for us as well.

          I understand the use of VSE 8.7i is the goal. However, I don't know if this is simple or possible to configure a 'command line' to scan a  USB Flash Drive.

           

          Using VirusScan Command Line Scanner, I use a batch file. It is installed on the C: drive in the McAfee\Scanner directory.

          One issue to improve on is whether the drive is a local hard drive or a removable drive. (That is not as easy to determine as you may think.) The drive letter may change and is likely to be any letter other than C:. This could also include CD/DVD drives. Since this PC is network isolated, we can eliminate network shares. That simplifies the search for the drive letters. However, if you know the CD/DVD drive letter, eliminate it in the search list. I will assume D:, but you may have it at other drive letters as well as possible OEM/Restore partitions. Eliminate these as well. Create a file called Exclude.lst in the C:\McAfee\Scanner directory if any exclusions are needed.

           

          [batch]

          @echo off

           

              C:

              cd C:\McAfee\Scanner

              for %%D in (Z: Y: X: W: V: U: T: S: R: Q: P: o: N: M: L: K: J: I: H: G: F: E: B: A:) do (

                  if exist %%D. call :Scan %%D

              )

            exit /b %ERRORLEVEL%

           

          :Scan

              Scan.exe %* /ANALYZE /MANY /ALL /CLEAN /DAM /NC /NOEXPIRE /PLAD /PROGRAM /SUB /STREAMS /UNZIP /THREADS=4 /TIMEOUT=15 /APPEND /REPORT=C:\McAfee\Scan.log /EXCLUDE=Exclude.lst

              if ERRORLEVEL 1 (

                  echo  ?? Scanning %%D, the scanner found a problem. Review C:\McAfee\Scan.log for the details.

                  echo  Here is the basic result:

                  if /i %ERRORLEVEL% EQU 2 echo  Integrity check on DAT Failed.

                  if /i %ERRORLEVEL% EQU 6 echo  A general problem occurred.

                  if /i %ERRORLEVEL% EQU 8 echo  The scanner was unable to find a DAT file.

                  if /i %ERRORLEVEL% EQU 10 echo  A virus was found in memory.

                  if /i %ERRORLEVEL% EQU 12 echo  The scanner tried to clean a file, the attempt failed and the file is still infected.

                  if /i %ERRORLEVEL% EQU 13 echo  The scanner found one or more viruses or hostile objects such as a Trojan.horse program, joke program, or test file.

                  if /i %ERRORLEVEL% EQU 15 echo  The scanner's self.check failed; the scanner may be infected or damaged.

                  if /i %ERRORLEVEL% EQU 19 echo  The scanner succeeded in cleaning all infected files.

                  if /i %ERRORLEVEL% EQU 20 echo  Scanning was prevented because of the /FREQUENCY option.

                  if /i %ERRORLEVEL% EQU 21 echo  Computer requires a reboot to clean the infection.

                  pause

                ) else (

                  echo  %* Scanned Clean.

              )

          goto :eof

          [/batch]

           

          Clearly, I did not include much in the way of error recovery, or anything else. Note the rich list of parameters available to configure the scan.

           

          I know that this is not the solution you were looking for, but I don't know if you can do anything better solely with VSE v8.7i.

          If you can make :Scan routine use Scan32.exe, instead of Scan.exe, post the results here so we can all benefit.

           

          Also, please realize that waiting for a complete scan of a large and nearly full flash drive, is likely to make the entire use of the flash drives completely frustrating to the user. Not sure what use scanning flash drives will be in this case given the dramatic delay introduced. Users will usually find ways to avoid using this method rather than waiting for the scan to complete, no matter which scanner used. That is why I prefer setting VSE's OAS to scan on both Read and Write. This allows for catching of malware without the dramatic delay and user frustration. I consider this feature of VSE, a strength.

           

          I hope this is helpful.

          Ron Metzger

          • 2. Re: How to perform a full scan of usb flash drive
            susja

            - Ron Metzger

            I appreciate your response.

            I understood all your points. 

            Unfortunately my organization is not planning to use Viris scan command line scanner hence the only option for me is VirusScan Console or scan32.exe.

            Looking into console I did not find any option related to thumb drive ...

            I know that using scan32 is not right or supported approach for command line scanning .... But since I don't have other choise don't you think that I could slightly change batch that you posted above and try to use it?

            Could it work somehow?

            Regarding performance issues related to the scanning time my organization does not care much about it at this point. The reason behind is that people outside my organization will come for maintenance of our devices and they usually bring thumb drives with their software or CD (not likely) and we will force them to scan it before touch our PC's. We do have bad experience in history and that's why we are planning to implement this step.

            Note:

            1. People from external organizations might refuse to read/write procedure with their thumb drives since it has propriety data.

            2. Before knowing about CLS I used scan32.exe and in general it worked although gave me hard time and etc. Assuming not having other option do you think that I could use your batch with sca32?

            • 3. Re: How to perform a full scan of usb flash drive
              rmetzger

              susja wrote:

               

              1. People from external organizations might refuse to read/write procedure with their thumb drives since it has propriety data.

              2. Before knowing about CLS I used scan32.exe and in general it worked although gave me hard time and etc. Assuming not having other option do you think that I could use your batch with sca32?

              1) Not sure what read/write procedure you are referring too - I am referring to the absolute minimum configuration of On-Access Scanner that would be allowed whether you scan the entire drive or not. It is the first level of defense. Accessing their software is a Read (When Reading from disk=ON). To catch some malware that runs via Autorun.inf sometimes requires that OAS has When Writing to disk=ON. Without both of these settings ON, you might just as well not bother with Anti-virus software, with todays malware. That includes Scan.exe and Scan32.exe methods. It is important to know that some malware can become active in RAM before a Scan32.exe can be done, thus evading detection, if When reading from disk=OFF or When writing to Disk=OFF is set.

               

              2) Yes, you can modify the :Scan routine to implement Scan32.exe. Like you, I had a hard time making it work 'well' and gave up on it as CLS provided everything I needed from a command line. You can get rid of the ERRORLEVEL checking as I don't know what ErrorLevel values Scan32.exe returns. I was never able to specify exactly how to scan a particular drive, though I haven't tried this in years. Have at it. Let us know if you can get it to work. I would like to see the resulting routine. For what it's worth, see if you can make these changes using VSE v8.8 instead of 8.7i.

               

              Good luck.

              Ron Metzger

              • 4. Re: How to perform a full scan of usb flash drive
                susja

                Thanks for input.

                I will definitely update you when I implement it ... (likely in a few weeks)

                Regarding read/write ... maybe I was not accurate, sorry about that.

                They use their thumb drive to update our PC's hence in my opinion 'read' should be always 'ON'. If you are saying that 'write' also should be 'ON' we could try to ask them to turn it 'ON' (not sure if they will agree )

                Your input is valuable because now I will try to insist my management to force 'external' people turn both 'read and write' 'ON' before scanning. Otherwise we'll compromise our scan expectation.

                Thanks again.

                P.S. Could you confirm that in your opinion .. having 'write' is a must?

                • 5. Re: How to perform a full scan of usb flash drive
                  rmetzger

                  Here is a long winded dissertation and my opinion on scanning USB flash drives.

                  Automati scan of any external storage (aka USB stick)

                  Within, you will find the logic for both scanning on Read and Write. Since around April, 2009 when w32-Conficker was released in the wild, it became apparent that both Read and Write was needed to stay safe. Prior to that many would only leave When Writing to disk=On. This would help performance and potentially stop hard drives from getting infected. However, the nuances of drive caching proved that this was not enough. Turning on When Reading from disk, was necessary to stop these infections, like w32-Conficker.

                   

                  If 'they' are updating your PC's then you really, really, want When Writing to disk=ON. If they have infected updates on their flash drive, you want the Write operation to be blocked when writing to your C: drive.

                   

                  A thorough reading of vse_880_best_practices_guide.pdf will help greatly.

                   

                  I hope this Helps.

                  Ron Metzger

                  • 6. Re: How to perform a full scan of usb flash drive
                    susja

                    I read carefully the article  Automati scan of any external storage (aka USB stick) and here is my vision how I could achieve my  goal to scan USB flash drive. I see 3 options:

                    1. Configure VirusScan Console -> On-Access Scanner -> All Processes -> Scan Files : both options 'When reading from disk' and 'When writing to disk' will be selected.

                    Expectation: when user inserts USB flash drive On-Access Scanning starts automatically and scans the whole flash drive == my goal is achieved

                    2. User open Windows Explorer -> locate thumb drive -> right-click select 'Scan for threats ...'

                    Expectation: scans starts automatically == my goal is achieved

                    3. Modify/adopt batch file -> when user inserts USB drive -> start execution of the batch file

                    Expectation: after user starts batch file it'll scan whole flash drive == my goal is achieved

                    - Ron Metzger, would you agree that I could try any of those 3 options and which one works better for me?

                    P.S. I assume that in case USB drive is not set write=ON I'll have error message and I'll request user to enable write access to his flash drive.