Forgot your password?
typodupeerror
Security Media Windows

Stand-Alone Antivirus Software? 159

Posted by timothy
from the lonely-job dept.
An anonymous reader writes "I work for a company that repairs specialty devices that have an embedded Mini-ATX motherboard without a CD-ROM drive and run Windows XP Home. And while the USB flash drives we insert into them have a physical write-protect tab, we still encounter a (rather annoying) display dialog from malware/viruses to remove the write-protect so the malware can infect the flash drive. We don't remove the write-protect, obviously, but would like to offer our customers the option of removing the malware/virus without having to install any software. We would rather not install/uninstall antivirus software even for one-time use, due to various licensing issues, nor do we want to connect to the Internet to use web-based online scanners. Is there any stand-alone anti-virus/anti-malware software for Windows that can be run directly from the write-protected flash drive itself?"
This discussion has been archived. No new comments can be posted.

Stand-Alone Antivirus Software?

Comments Filter:
  • Plenty (Score:5, Informative)

    by Anonymous Coward on Thursday June 24, 2010 @04:36PM (#32683164)
    • Re:Plenty (Score:5, Informative)

      by The MAZZTer (911996) <megazzt@NoSPAM.gmail.com> on Thursday June 24, 2010 @04:57PM (#32683496) Homepage
      ClamWin Portable from http://portableapps.com/ [portableapps.com]
      • AV software will never catch everything and just gives a false sense of security.

        My suggestion would be to maintain a clean image of the OS and blow the whole image in, instead of trying to clean the machines.

        Aside from anything else, I believe you have more liability if you to a bad job of something (cleaning the virus) than if you do nothing or do a clean re-install. I'd vote for the reinstall. New viruses are very stealthy and getting better all the time. I don't know of any reliable way to detect
        • by b4dc0d3r (1268512) on Thursday June 24, 2010 @10:27PM (#32686498)

          It's a good suggestion, but these are likely random users bringing in an out of warranty computer. They ideally should be keeping their own clean images, but they didn't, and they don't want to lose their stuff. Scan and clean is the way to go here, not reimage.

          • I'm not sure these are general purpose computers. It sounds like some sort of tool or device.
          • by Z00L00K (682162)

            Even then it shouldn't be a problem, at least when it comes to the operating system.

            Windows computers will always benefit from the yearly reinstall.

  • the boyz and i have tried to figure out a solution to that same problem. AVG has a linux based rescue cd as well as some other guys, it could easily be adapted to a usb disk
    • by Anpheus (908711)

      You should be careful though, because renaming or cleaning a system file can leave the machine unbootable or prone to strange BSODs.

  • ClamWin (Score:5, Insightful)

    by vbraga (228124) on Thursday June 24, 2010 @04:36PM (#32683174) Journal

    A portable version of ClamWin may do the trick.

    http://www.clamwin.com/content/view/118/89/ [clamwin.com]

    • by pmsr (560617)

      It won't do the trick. ClamWin doesn't remove malware or viruses.

      • Re: (Score:3, Informative)

        by Anonymous Coward

        Yes it does, but you have to turn on the removal feature first (defaults to report-only). SuperAntiSpyware and MalwareBytes also have portable versions (I think MalwareBytes' portable version may be an unsupported mod, though.)

        • It isn't very widely known but, clamav doesn't detect "spyware" by default. If you pass '--detect-pua' (potentially unwanted apps) to its arguments, it will detect them too.

          Of course, in this situation, if he "fixes" the computer via removing spyware and idiot customer jumps up and down saying "his mp3 downloader is broken", it will cause some issues. That is why most antiviruses stay away from detecting spyware by default.

          • by hitmark (640295)

            spybot? gotta love the immunize feature. Still, that needs to be refreshed regularly...

    • Works for me, 60% of the time, every time.

      (The other 40% are when we come across old Bios versions that don't allow you to boot from the USB).

    • I really think with such usage and money is being made

      http://www.clamwin.com/content/view/180/105/ [clamwin.com] (donation)

      and of course, same donation to clamav(.net), the "real thing" should be made.

      People may think such famous projects are swimming in donations money but it is generally not the reality. There is no license confusion there either, it is free but donations accepted, whatever money you feel like. In TV business, I sometimes see ffmpeg being used in million dollar projects without a cent of donation, it r

  • While it won't catch everything, clamav i believe can be setup on the usb drive to be used that way.

    • Re: (Score:3, Insightful)

      by toastar (573882)

      While it won't catch everything, clamav i believe can be setup on the usb drive to be used that way.

      Nothing will catch everything, The second you write it to disk your virus definitions will be out of date.

      • Re:clamav (Score:4, Informative)

        by csrjjsmp (819838) on Thursday June 24, 2010 @05:54PM (#32684378) Homepage
        Other programs will catch 98-99%. Clamwin is lucky to catch 30.
        • Re: (Score:3, Insightful)

          by profplump (309017)

          99% of what? The viruses they have definitions for? There's not a product on the market that catches 99% of all viruses.

          You might make a comparison of the number of entries in their definitions library, or the different techniques each has available to match the various types of obfuscation in use, but a claim of catching 99% is both meaningless and unsupportable.

        • by Bryansix (761547)
          Actually besides missing a lot of viruses my problem with ClamAV or ClamWin was the false positives that would quarantine critical system files making computers unbootable.
        • by BagOBones (574735)

          I agree, clamAV has a very mediocre success rate in our environment, it runs as an extra feature on our anti spam appliance as first line defense.. Our multi engine exchange antivirus package still manages to get hits on it in the backend..

          It is good for reducing load on our backend systems... I would never trust it as a desktop scanner.. it regularly scores poorly in 3rd party test reports as well.

  • Clamwin (Score:3, Interesting)

    by Kissing Crimson (197314) <jonesy@NoSPaM.crimsonshade.com> on Thursday June 24, 2010 @04:37PM (#32683188) Homepage

    I have thumbdrive with Clamwin just for this purpose. I remove the write-protect when I need to update the virus definitions, then flip it back before inserting in a suspect PC. Works great.

    • F-Prot (Score:3, Interesting)

      by mcrbids (148650)

      Why run Antivirus from an O/S that is vulnerable? F-prot has a Linux version that works well on the command line, and detects Windows viruses. Set up a Fedora boot CD/Flash disk and run the latest f-prot on it, and relax in the comfort of knowing that you are virus scanning from a position of relative security.

  • by stevel (64802) *

    I know that U3-enabled flash drives can run AV scans directly from the flash drive. I don't know if this requires that some part of the drive be writeable. U3 drives appear as a CD-ROM plus a separate flash drive. http://en.wikipedia.org/wiki/U3 [wikipedia.org]

    • Running a U3 drive is asking for trouble. I don't know of any portable storage technology that has more malicious payloads available for free download on the net. The problems have been detailed widely... I stopped using U3 devices after an article in 2600 (Winter07/08) got me looking into the technology. I absolutely could not believe what my research uncovered.

  • UBCD (Score:5, Informative)

    by 0racle (667029) on Thursday June 24, 2010 @04:38PM (#32683216)
    http://www.ubcd4win.com/ [ubcd4win.com]

    There are several AV products that can be slipstreamed into it, and there are instructions on installing the Ultimate Boot CD onto a thumbdrive, which is handy for keeping AV signatures up to date.
  • You could try something like F-Prot or Panda Commandline scanner, and just update the definition files on your USB drive manually from time to time.
    • Re: (Score:1, Interesting)

      by Anonymous Coward

      Agree. F-Prot is cross platform. That means you might have success booting a Linux distro on flash with f-prot installed, updating its virus definitions, and then scanning the infected blob, oops, I mean Windows.

      Another option for a standalone scanner is bart-pe. Pay attention to treatment of registry objects, though.

    • by Hatta (162192)

      That's exactly what I was going to say. F-Prot is good shit. Load it on a live USB image (unetbootin is your friend) and you're good to go.

      Another thing worth mentioning... From what I've read, the write protect tabs on USB flash devices are implemented in software, not hardware. It would be entirely possible for a compromised PC to load a driver that ignores that flag. Perhaps a USB CDROM would be safer.

  • 100% of the system is read only? I assume you are using a ramdrive or something like that for tmp files and the like? I don't know shit about windows, but I don't think it's going to run without any kind of writable space.

    OTOH, if you want a simple solution to this issue, and the system is read-only, I think your simplest antivirus solution is called "reboot".

    Of course, you should be looking into running GNU/Linux in this babies. It certainly runs better on Atom than windows ever will.

    • His USB is read only, not the system. He wants to RUN an antivirus without installing it on the computer. Which is possible, the most common around are boot CD's (or live CD's), where you boot up an antivirus operating system instead of the windows on your hard drive, from a CD-Rom you insert. His problem was that the computers don't have CD Rom's, so he's looking for the equivalent with a USB stick, which there are still quite a few of.

      The problem he'll likely run across is an out of date BIOS that doesn't

      • I use PXE for stuff like this, or a simple tftp server for embedded devices. As long as you don't get stuck needing to work with emdeb crush (arm) the custom roll is the hardest part and even that is dead simple these days.

    • 100% of the system is read only? I assume you are using a ramdrive or something like that for tmp files and the like? I don't know shit about windows, but I don't think it's going to run without any kind of writable space.

      OTOH, if you want a simple solution to this issue, and the system is read-only, I think your simplest antivirus solution is called "reboot".

      Of course, you should be looking into running GNU/Linux in this babies. It certainly runs better on Atom than windows ever will.

      The flash drive is a read only maintenance tool. The system is not read only. He wants something that he can run from the flash drive.

    • by Intron (870560)
      If the system were 100% read only, how would it have gotten infected?
      • Re: (Score:2, Funny)

        by Fwipp (1473271)

        TFS says that they come preinstalled with the variant colloquially known as Windows XP Home.

  • by MobyDisk (75490) * on Thursday June 24, 2010 @04:41PM (#32683246) Homepage

    I work in a similar environment, and although I can't recommend a virus program, I can suggest ways to prevent it. It sounds like the company is creating an embedded device, but is not using an embedded operating system. Microsoft Windows embedded forbids writes to the C: drive when you enable EWF or FBWF. EWF gives you a memory overlay so software *can* write to C:, but if you get infected, you just reboot the machine. Alternatively, a good Micro-ATX BIOS will support making the drives read-only.

    • Microsoft Windows embedded forbids writes to the C: drive when you enable EWF or FBWF. EWF gives you a memory overlay so software *can* write to C:, but if you get infected, you just reboot the machine.

      Any way I can put that tech on regular XP?
    • alot of that custom software does not like lock down and some of them likes to store logs / other stuff that will get lost with that reset C: on reboot and no it's not easy to make it put that stuff on a other disk / some of it was coded for windows 9x and no they will not make it work for UAP / limited user.

      Also turning off admin will not work for a lot of that software as well.

  • you should definitely check out portableapps.com [portableapps.com] Lots of OSS that can be ran from a thumb drive.

  • by Marx_Mrvelous (532372) on Thursday June 24, 2010 @04:41PM (#32683258) Homepage
    Instead of protecting the device proactively by using some sort of AV, application whitelist, or other device control, you want to let them keep getting infected, over and over, so your users have to keep using the USB device to remove the malware infections over and over? Brilliant.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      There's a difference between Service Provider and Solution Provider

    • Re: (Score:2, Funny)

      by BitZtream (692029)

      It is brilliant if your just a service tech thats paid to 'fix the machine' and can't actually do anything to 'fix the machine'

      As an example: Windows XP used for photo printing boths are various 1 hour photo places. They Joe the plumber plugin a flash device and print his pictures.

      They are made by SomeBigCompany, but the phamacy down the street has one and needs it repaid, so JohnTheRepairMan comes to fix it. Can't fix the fact that it loads the autorun on flash devices even though its not supposed to bec

    • by Grishnakh (216268)

      The customers are probably stupid. They're running Windows XP Home, after all. The guy could try to sell them AV software, but they'll probably whine that it costs too much or they don't want to spend the money. He's trying to be helpful by cleaning his customers' systems without requiring them to buy additional software licenses.

      Don't ever underestimate the stupidity of customers.

      • by tinkerghost (944862) on Thursday June 24, 2010 @05:38PM (#32684136) Homepage

        Don't ever underestimate the stupidity of customers.

        Techs doing residential work live on it. Face it, nothing involved in doing a virus removal is rocket science. I had a customer who used to call me every other month to clean up their son's computer. Now the son's at college and it's someone else's goldmine.

        • by tunapez (1161697)
          It may not be rocket science to you and me, but to average Joe it is. Also, it does take time to keep current on the latest threats/bugs, test new tools and then to do the actual removal process, which often isn't as cut & dry as you make it sound. Some occasionally turn into hunting expeditions in file systems 100+GB deep and the 4+ year old registry full of ghosts of installs past, present and future pro-generators.
          Between Fecebook and Spider Solitaire nobody wants to make time to service their compu
    • For prevention, he might want to look into USB Guardian:

      http://www.usb-guardian.com/ [usb-guardian.com]

  • by jeffmeden (135043) on Thursday June 24, 2010 @04:48PM (#32683350) Homepage Journal

    How about using the BitDefender rescue disk, (available in ISO format, but portable to a USB key) and asking the customer to reboot the PC and allow it to boot entirely from the USB key?

    Licensing may be a grey area on that one though, depending on how widely you are distributing it.

    One problem with using a windows application is that it may be up against a virus that is entrenched and will simply stop the cleaning from taking place. If this is the case, you need something that will activate on boot, or better yet boot on it's own (like the Bitdefender.)

    There is probably a more elegant solution though, since this is a highly controlled environment. Maybe more restrictive user level controls are in order, forcing the users to log in with minimal privileges?

  • I've recently switched my company over to Sunbelt Systems VIPRE.
    One of the triggers for this was how well this worked...
    http://vipre.malwarebytes.org/ [malwarebytes.org]

    I've used Malwarebytes in many places but the standalone scanner from Vipre is pretty impressive.
  • We would rather not install/uninstall antivirus software even for one-time use, due to various licensing issues, nor do we want to connect to the internet to use web-based online scanners. Is there any stand-alone anti-virus/anti-malware software for Windows that can be run directly from the write-protected flash drive itself?"

    There many anti-virus vendors that offer free downloadable rescue disks that you can boot from and scan your system. F-Secure, Panda, Avira, AVAST, Bitdefender come to mind. McAfee offers an executable called Stinger.exe and Microsoft’s installable Microsoft Security Essential is free.

    Try any one of those programs from a reputable security software vendor, there are more than listed above.

  • http://www.kaspersky.com

    They have a tool you can create from a working installation, it creates a boot-able CD (PE) that you can clean a system with, I found it works very well. I would imagine it could be installed on boot-able flash disk as well.

    I have found it useful when you don't want to boot up a infected system.

    Its is able to update virus/malware definitions if it has the necessary network driver available.
  • Try McAfee's Stinger. http://vil.nai.com/vil/stinger/ [nai.com] Although it is limited, it is stand alone and another tool in your arsenal to remove the nasties. I haven't used it in a while, so YMMV.
  • by at_slashdot (674436) on Thursday June 24, 2010 @04:54PM (#32683444)

    AVG has a "rescue CD" http://free.avg.com/ww-en/kb.pnuid-1267095510 [avg.com] it can be written on a USB flashdrive. Also SuperAntiSpyware has a protable scanner: http://www.superantispyware.com/portablescanner.html [superantispyware.com]

    • by gravis777 (123605)

      I was thinking of Avast Bart myself. MiniPE with updated virus definitions will also do the trick, although I have not tried putting MiniPE on a thumbdrive. Although with MiniPE, you could get into some licensing issues, really never checked into it.

  • I've had great success with SysClean from trendmicro [trendmicro.com]. It's free and may be a bit unintuitive how to get the files required, but it has worked greatly for me in the past for malware that disable AVs and requires no isntallation.
  • by DodgeRules (854165) on Thursday June 24, 2010 @04:55PM (#32683466)
    http://www.superantispyware.com/portablescanner.html [superantispyware.com] I have had good luck with this. Hope you do too.
    • Re: (Score:3, Funny)

      by Pharmboy (216950)

      I see Antivirus 2010 on half the computers I come across, it must be a good product since everyone has it! ;)

      • I see Antivirus 2010 on half the computers I come across, it must be a good product since everyone has it! ;)

        Is that one of those fake anti-virus hostage programs like AV Security Suite? I've gone at least 5-8 years running Windows XP Pro and haven't had an issue with a virus during that time. In the last 3 days I've had issues with AV Security Suite getting onto my systems. How the hell isn't that company or whomever is running the scam websites not getting slapped down by the police?

        I'm guessing that w

        • Which police department is exactly responsible?

          have you completely missed every reference to the lawlessness of the net?

          there is no central authority to do what you so glibly suggest is the problem of the "Police"

          • Which police department is exactly responsible?

            have you completely missed every reference to the lawlessness of the net?

            there is no central authority to do what you so glibly suggest is the problem of the "Police"

            When people like AV security suite have storefronts which collect and charge credit cards one would think that it's not that hard to track.

            Am I being glib? It might be complicated, but this isn't exactly a difficult thing to track and given the ubiquity of Windows, isn't just harming people in a s

            • Storefronts located in eastern Europe/China? Else rotating through different payment processors as they are shut down? I tend to agree with you though. In theory it should be a simple thing to shut down a seemingly fixed target. The fact that they haven't been shut down yet implies that it's not as simple as it sounds.
      • by mcgrew (92797) *

        I see Windows on almost all the computers I come across, it must be a GREAT product since everyone has it! ;)

        Oh wait...

  • I use Combofix. It has to be able to connect to the Internet to update, though. Unless you want to constantly download the newest version onto the drive.
  • From what I understand the article states:

    a) these devices are owned by the customer and have a hard drive with moving parts running Windows XP Home

    b) the company wants to offer one-shot cleanups that they can run from a usb drive

    If this is true, you definitely want to check this out: http://www.ubcd4win.com/ [ubcd4win.com] - this tool is designed to create bootable optical disks and also bootable USB flash drives, both to run a BartPE based Windows XP-like environment. The tool includes several virus and malware
  • If the device has a USB port, you can just plug in a USB optical drive and use any old AV boot disk. there's no reason to restrict yourself to just thumb drives.
  • by Saint Stephen (19450) on Thursday June 24, 2010 @05:23PM (#32683882) Homepage Journal

    Back in the BBS days, from MacAffee, you could download SCAN.EXE and CLEAN.EXE and run them on DOS.

    And - you still can!

    Go to their website and find the command line scanner for win32. It claims to be a trial version, but with no install routine and being a command line program, that doesn't mean much. It uses the same .DAT files that you download for any other VirusScan program.

    I get a huge chuckle when I run it, because it's exactly the same way it was in 1988 and that's the way it oughta be. all this other crap is fer lamos :-)

  • I don't have any write-protect drives on me right now, but I think these may have worked in the past: ComboFix, Dr.Web CureIt!, and... oh, that's it. In your search, try looking for 'portable' versions of your favorite virus scanners; that's what they usually call the kind that can run off flash drives, and some may work on write-protect ones. BTW, if you're worried about licensing, running from a locked flash drive may not clear you automatically. When you run the program, it kind of "installs" to RAM, and
  • I have a USB stick with Linux & TWM. It's some variant of Debian. I have it set up with clamAV and I run FreshClam before going out for a job. I made sure I have a CD that I can boot & chroot if the hardware won't boot off of a USB HD. By running the separate OS, I don't have to worry about a rootkit hiding itself from the Windows OS. I know several people who also have XP running from flash drives & run MBAM and other software from them.
  • http://live.sunbeltsoftware.com/ [sunbeltsoftware.com] Extract it to the USB drive then run it on the offending PC. The only issue that might arise, is that two files are coped to the C: drive before the scan starts. One to C:\Windows\ the other to C:\windows\system32\ Both are necessary for the scanner to work properly.
  • http://www.f-secure.com/en_EMEA/security/tools/rescue-cd/ [f-secure.com]

    I've also had random luck getting this to work from a bootable USB drive that mounts the ISO as well.

  • When dealing with malware, viruses, worms, backdoors, etc., there are many things they can do if they are live.

    The way to shut them down for the moment is a clean boot of a clean verified uninfected source, something like a cd or usb if the hardware/bios permits, also, pull out the network plug, some malware will propagate to other machines over the network, even if you don't think you're accessing it.
    Two things to look out for, some computers may seem to let you boot from those sources, but still load some
  • There are many anti-virus companies that offer versions of their anti-virus on bootable CD's that you can download and run for free (legally). It will take just a little bit of Google work but I know you can find ones for Avira, Bit Defender, and Kaspersky. There might be more out there but the one I use the most (I work as a PC tech cleaning out lots of viruses.) is the Avira CD. Happy virus killing!

  • Not if you want the system to actually be secure. In order to effectively scan, you'll need up to date virus definitions. If you don't want to be on the network for an online scan, you probably won't want to be on the network to download definitions. If wouldn't matter anyhow, as you can't put them on the USB drive because you want to maintain write-protect. As such, even if you put the AV product on your system, you'd shortly be stuck with out-of-date definitions, unless you have some other writable me

  • That is a problem right there if you are wanting to boot from the infected drive THEN test.. If you can boot off the USB too, why not just boot off USB, then connect/share via SMB to a machine in your shop that has all the scanning stuff and do it from there?

  • Seriously, you're willing to let your customers use the device when it's riddled with malware or whatever, but you want a simple and easy way to to clean them when you get one for service?

    Why bother? If you're not interested in preventing the problem, it will come back.

    And as some have recommended, you should work with the suits to either get a more appropriate and robust version of Windows to do what you do, or move to an OS that can be secured. I know this is not just a technical decision, so good luck

  • Antivir has a command line scanner: http://www.avira.com/en/support/support_downloads.html [avira.com]
  • Here is a Linux based CD, that can be installed on a thumb drive.
    http://www.inside-security.de/insert_en.html [inside-security.de]

    It can read/write NTFS and can run CLAM AV.

    I even installed it on a thumb drive with two partitions. Used from Windows, it is a data drive. Boot from it and it goes into Insert Linux Rescue.

    It is pretty spartan and very small so will fit on your older thumb drives that are too small for anything else.

  • Stinger (Score:2, Informative)

    by jdimpson (789437)

    McAfee Stinger

    http://vil.nai.com/vil/stinger/ [nai.com]

16.5 feet in the Twilight Zone = 1 Rod Serling

Working...