Stand-Alone Antivirus Software? 159
An anonymous reader writes "I work for a company that repairs specialty devices that have an embedded Mini-ATX motherboard without a CD-ROM drive and run Windows XP Home. And while the USB flash drives we insert into them have a physical write-protect tab, we still encounter a (rather annoying) display dialog from malware/viruses to remove the write-protect so the malware can infect the flash drive. We don't remove the write-protect, obviously, but would like to offer our customers the option of removing the malware/virus without having to install any software. We would rather not install/uninstall antivirus software even for one-time use, due to various licensing issues, nor do we want to connect to the Internet to use web-based online scanners. Is there any stand-alone anti-virus/anti-malware software for Windows that can be run directly from the write-protected flash drive itself?"
Plenty (Score:5, Informative)
Re:Plenty (Score:5, Informative)
You need a bigger gun. (Score:2)
My suggestion would be to maintain a clean image of the OS and blow the whole image in, instead of trying to clean the machines.
Aside from anything else, I believe you have more liability if you to a bad job of something (cleaning the virus) than if you do nothing or do a clean re-install. I'd vote for the reinstall. New viruses are very stealthy and getting better all the time. I don't know of any reliable way to detect
Re:You need a bigger gun. (Score:4, Insightful)
It's a good suggestion, but these are likely random users bringing in an out of warranty computer. They ideally should be keeping their own clean images, but they didn't, and they don't want to lose their stuff. Scan and clean is the way to go here, not reimage.
Re: (Score:2)
Re: (Score:2)
Even then it shouldn't be a problem, at least when it comes to the operating system.
Windows computers will always benefit from the yearly reinstall.
Re:Plenty (Score:4, Interesting)
But isn't there a risk with this whole USB-virus-scanner thing that if a computer is infected, you can't be sure that your scanner is being read and executed correctly? If the OS you're scanning is infected, the malware could be monitoring for clamwin.exe etc and running its own version, or intercepting the important IO calls. I know if I was writing a virus and wanted to take control of as many computers as possible, one of the first things I'd do would be to make it look like my virus wasn't there.
Surely the only way to really scan a computer is by booting into a guaranteed-clean OS? And even then, isn't there a risk that firmware could be compromised? Or am I just being way too paranoid?
Re: (Score:3, Informative)
'Surely the only way to really scan a computer is by booting into a guaranteed-clean OS?'
Yes, and there are a bunch of different, generally Linux-based, bootable CDs that do exactly this. Several of the major antivirus companies make these available, and I tried about half a dozen last year. Not all of them worked well (out of date, or ran slowly, or found too many false positives and deleted them without asking!), but I was happy with the Avira Rescue System:
http://www.free-av.com/en/tools/12/avira_antivir [free-av.com]
Re: (Score:2)
Linux's NTFS driver is actually better than the Windows one for removing viruses. It ignores all the permissions on files so you can always read and delete every file.
It also shows files which even a clean Windows will hide. Some rootkits do something to the NTFS stream which makes files invisible even on a clean system; the only way to access them is by name directly. You can tell when it happens because you can see the files being loaded at boot time, e.g. c:\windows\system32\jkhasdakj.dll but jkhasdakj.d
Re: (Score:2)
Or am I just being way too paranoid?
Yes.
Good Luck! (Score:1)
Re: (Score:2)
You should be careful though, because renaming or cleaning a system file can leave the machine unbootable or prone to strange BSODs.
Comment removed (Score:5, Insightful)
Re: (Score:2)
It won't do the trick. ClamWin doesn't remove malware or viruses.
Re: (Score:3, Informative)
Yes it does, but you have to turn on the removal feature first (defaults to report-only). SuperAntiSpyware and MalwareBytes also have portable versions (I think MalwareBytes' portable version may be an unsupported mod, though.)
and spyware detected/removed this way (Score:3, Informative)
It isn't very widely known but, clamav doesn't detect "spyware" by default. If you pass '--detect-pua' (potentially unwanted apps) to its arguments, it will detect them too.
Of course, in this situation, if he "fixes" the computer via removing spyware and idiot customer jumps up and down saying "his mp3 downloader is broken", it will cause some issues. That is why most antiviruses stay away from detecting spyware by default.
Re: (Score:2)
spybot? gotta love the immunize feature. Still, that needs to be refreshed regularly...
Re: (Score:2)
Works for me, 60% of the time, every time.
(The other 40% are when we come across old Bios versions that don't allow you to boot from the USB).
and another link (Score:2)
I really think with such usage and money is being made
http://www.clamwin.com/content/view/180/105/ [clamwin.com] (donation)
and of course, same donation to clamav(.net), the "real thing" should be made.
People may think such famous projects are swimming in donations money but it is generally not the reality. There is no license confusion there either, it is free but donations accepted, whatever money you feel like. In TV business, I sometimes see ffmpeg being used in million dollar projects without a cent of donation, it r
Re: (Score:2)
I bet little shops are way more ethical.
I thought business ethics was an oxymoron.
Re: (Score:2, Informative)
Plus, if your flash drive is write-protected, then how can you update to the latest definitions?
Turn off the write-protect?
You only need it on when you connect it to a possibly-infected customer computer.
Re: (Score:2)
Mine too. About 2 years ago I personally tested 10 different scanners, including Clam. I was hoping to use those tests to promote Clam, i.e I was trying to create evidence that Clam was as good as some of the commercial products. In the end, the article came out with Clam in the "not recommended" category. Since then, if I have time, I run it against some other malware I clean off client computers, and the results so far have no
clamav (Score:1)
While it won't catch everything, clamav i believe can be setup on the usb drive to be used that way.
Re: (Score:3, Insightful)
While it won't catch everything, clamav i believe can be setup on the usb drive to be used that way.
Nothing will catch everything, The second you write it to disk your virus definitions will be out of date.
Re:clamav (Score:4, Informative)
Re: (Score:3, Insightful)
99% of what? The viruses they have definitions for? There's not a product on the market that catches 99% of all viruses.
You might make a comparison of the number of entries in their definitions library, or the different techniques each has available to match the various types of obfuscation in use, but a claim of catching 99% is both meaningless and unsupportable.
Re: (Score:2)
Re: (Score:2)
I agree, clamAV has a very mediocre success rate in our environment, it runs as an extra feature on our anti spam appliance as first line defense.. Our multi engine exchange antivirus package still manages to get hits on it in the backend..
It is good for reducing load on our backend systems... I would never trust it as a desktop scanner.. it regularly scores poorly in 3rd party test reports as well.
Clamwin (Score:3, Interesting)
I have thumbdrive with Clamwin just for this purpose. I remove the write-protect when I need to update the virus definitions, then flip it back before inserting in a suspect PC. Works great.
F-Prot (Score:3, Interesting)
Why run Antivirus from an O/S that is vulnerable? F-prot has a Linux version that works well on the command line, and detects Windows viruses. Set up a Fedora boot CD/Flash disk and run the latest f-prot on it, and relax in the comfort of knowing that you are virus scanning from a position of relative security.
U3? (Score:2)
I know that U3-enabled flash drives can run AV scans directly from the flash drive. I don't know if this requires that some part of the drive be writeable. U3 drives appear as a CD-ROM plus a separate flash drive. http://en.wikipedia.org/wiki/U3 [wikipedia.org]
Re: (Score:1)
Running a U3 drive is asking for trouble. I don't know of any portable storage technology that has more malicious payloads available for free download on the net. The problems have been detailed widely... I stopped using U3 devices after an article in 2600 (Winter07/08) got me looking into the technology. I absolutely could not believe what my research uncovered.
UBCD (Score:5, Informative)
There are several AV products that can be slipstreamed into it, and there are instructions on installing the Ultimate Boot CD onto a thumbdrive, which is handy for keeping AV signatures up to date.
Re: (Score:2, Funny)
12 people in a row suggested ClamWINAV... I think /. will survive 2 UBCD recommendations...
One option might be... (Score:2, Informative)
Re: (Score:1, Interesting)
Agree. F-Prot is cross platform. That means you might have success booting a Linux distro on flash with f-prot installed, updating its virus definitions, and then scanning the infected blob, oops, I mean Windows.
Another option for a standalone scanner is bart-pe. Pay attention to treatment of registry objects, though.
Re: (Score:2)
That's exactly what I was going to say. F-Prot is good shit. Load it on a live USB image (unetbootin is your friend) and you're good to go.
Another thing worth mentioning... From what I've read, the write protect tabs on USB flash devices are implemented in software, not hardware. It would be entirely possible for a compromised PC to load a driver that ignores that flag. Perhaps a USB CDROM would be safer.
Your post doesn't make sense. (Score:2)
100% of the system is read only? I assume you are using a ramdrive or something like that for tmp files and the like? I don't know shit about windows, but I don't think it's going to run without any kind of writable space.
OTOH, if you want a simple solution to this issue, and the system is read-only, I think your simplest antivirus solution is called "reboot".
Of course, you should be looking into running GNU/Linux in this babies. It certainly runs better on Atom than windows ever will.
Re: (Score:2)
His USB is read only, not the system. He wants to RUN an antivirus without installing it on the computer. Which is possible, the most common around are boot CD's (or live CD's), where you boot up an antivirus operating system instead of the windows on your hard drive, from a CD-Rom you insert. His problem was that the computers don't have CD Rom's, so he's looking for the equivalent with a USB stick, which there are still quite a few of.
The problem he'll likely run across is an out of date BIOS that doesn't
Re: (Score:1)
I use PXE for stuff like this, or a simple tftp server for embedded devices. As long as you don't get stuck needing to work with emdeb crush (arm) the custom roll is the hardest part and even that is dead simple these days.
Re: (Score:1)
100% of the system is read only? I assume you are using a ramdrive or something like that for tmp files and the like? I don't know shit about windows, but I don't think it's going to run without any kind of writable space.
OTOH, if you want a simple solution to this issue, and the system is read-only, I think your simplest antivirus solution is called "reboot".
Of course, you should be looking into running GNU/Linux in this babies. It certainly runs better on Atom than windows ever will.
The flash drive is a read only maintenance tool. The system is not read only. He wants something that he can run from the flash drive.
Re: (Score:2)
Re: (Score:2, Funny)
TFS says that they come preinstalled with the variant colloquially known as Windows XP Home.
Use Windows Embdded, not XP Home (Score:5, Insightful)
I work in a similar environment, and although I can't recommend a virus program, I can suggest ways to prevent it. It sounds like the company is creating an embedded device, but is not using an embedded operating system. Microsoft Windows embedded forbids writes to the C: drive when you enable EWF or FBWF. EWF gives you a memory overlay so software *can* write to C:, but if you get infected, you just reboot the machine. Alternatively, a good Micro-ATX BIOS will support making the drives read-only.
Re: (Score:2)
Any way I can put that tech on regular XP?
Re: (Score:2, Informative)
Seconded.. (Score:2)
in some enviroments it's a godsend
Re: (Score:2)
Re:Use Windows Embdded, not XP Home (Score:4, Informative)
http://www.microsoft.com/presspass/newsroom/winxp/SharedToolkitFS.mspx [microsoft.com]
It's now called "Windows SteadyState 2.5"
http://www.microsoft.com/downloads/details.aspx?familyid=d077a52d-93e9-4b02-bd95-9d770ccdb431&displaylang=en [microsoft.com]
Re: (Score:2, Informative)
Re: (Score:2)
Absolutely! But it'll take some hacking. I ran it on a first-gen Acer netbook with an 8 GB SSD that liked to hardlock the system on ever write.
There's a fair tutorial here [theacerguy.com]. The parts about Vista aren't really relevant, but the gist of it is
alot of that custom software does not like lock do (Score:2)
alot of that custom software does not like lock down and some of them likes to store logs / other stuff that will get lost with that reset C: on reboot and no it's not easy to make it put that stuff on a other disk / some of it was coded for windows 9x and no they will not make it work for UAP / limited user.
Also turning off admin will not work for a lot of that software as well.
Portableapps.com (Score:1)
you should definitely check out portableapps.com [portableapps.com] Lots of OSS that can be ran from a thumb drive.
So let me get this straight... (Score:3, Interesting)
Re: (Score:2, Informative)
There's a difference between Service Provider and Solution Provider
Re: (Score:2, Funny)
It is brilliant if your just a service tech thats paid to 'fix the machine' and can't actually do anything to 'fix the machine'
As an example: Windows XP used for photo printing boths are various 1 hour photo places. They Joe the plumber plugin a flash device and print his pictures.
They are made by SomeBigCompany, but the phamacy down the street has one and needs it repaid, so JohnTheRepairMan comes to fix it. Can't fix the fact that it loads the autorun on flash devices even though its not supposed to bec
Re: (Score:2)
The customers are probably stupid. They're running Windows XP Home, after all. The guy could try to sell them AV software, but they'll probably whine that it costs too much or they don't want to spend the money. He's trying to be helpful by cleaning his customers' systems without requiring them to buy additional software licenses.
Don't ever underestimate the stupidity of customers.
Re:So let me get this straight... (Score:4, Interesting)
Techs doing residential work live on it. Face it, nothing involved in doing a virus removal is rocket science. I had a customer who used to call me every other month to clean up their son's computer. Now the son's at college and it's someone else's goldmine.
Re: (Score:2)
Between Fecebook and Spider Solitaire nobody wants to make time to service their compu
Re: (Score:2)
For prevention, he might want to look into USB Guardian:
http://www.usb-guardian.com/ [usb-guardian.com]
Bitdefender is a darn good product (Score:3, Informative)
How about using the BitDefender rescue disk, (available in ISO format, but portable to a USB key) and asking the customer to reboot the PC and allow it to boot entirely from the USB key?
Licensing may be a grey area on that one though, depending on how widely you are distributing it.
One problem with using a windows application is that it may be up against a virus that is entrenched and will simply stop the cleaning from taking place. If this is the case, you need something that will activate on boot, or better yet boot on it's own (like the Bitdefender.)
There is probably a more elegant solution though, since this is a highly controlled environment. Maybe more restrictive user level controls are in order, forcing the users to log in with minimal privileges?
Maybe this? (Score:1)
One of the triggers for this was how well this worked...
http://vipre.malwarebytes.org/ [malwarebytes.org]
I've used Malwarebytes in many places but the standalone scanner from Vipre is pretty impressive.
You have lots of Options (Score:2)
We would rather not install/uninstall antivirus software even for one-time use, due to various licensing issues, nor do we want to connect to the internet to use web-based online scanners. Is there any stand-alone anti-virus/anti-malware software for Windows that can be run directly from the write-protected flash drive itself?"
There many anti-virus vendors that offer free downloadable rescue disks that you can boot from and scan your system. F-Secure, Panda, Avira, AVAST, Bitdefender come to mind. McAfee offers an executable called Stinger.exe and Microsoft’s installable Microsoft Security Essential is free.
Try any one of those programs from a reputable security software vendor, there are more than listed above.
I have used Kaspersky for this purpose (Score:1)
They have a tool you can create from a working installation, it creates a boot-able CD (PE) that you can clean a system with, I found it works very well. I would imagine it could be installed on boot-able flash disk as well.
I have found it useful when you don't want to boot up a infected system.
Its is able to update virus/malware definitions if it has the necessary network driver available.
Stinger (Score:1)
AVG and SuperAntiSpyware (Score:3, Informative)
AVG has a "rescue CD" http://free.avg.com/ww-en/kb.pnuid-1267095510 [avg.com] it can be written on a USB flashdrive. Also SuperAntiSpyware has a protable scanner: http://www.superantispyware.com/portablescanner.html [superantispyware.com]
Re: (Score:2)
I was thinking of Avast Bart myself. MiniPE with updated virus definitions will also do the trick, although I have not tried putting MiniPE on a thumbdrive. Although with MiniPE, you could get into some licensing issues, really never checked into it.
SysClean from trendmicro (Score:2)
SUPERAntiSpyware Portable (Score:4, Informative)
Re: (Score:3, Funny)
I see Antivirus 2010 on half the computers I come across, it must be a good product since everyone has it! ;)
Re: (Score:2)
I see Antivirus 2010 on half the computers I come across, it must be a good product since everyone has it! ;)
Is that one of those fake anti-virus hostage programs like AV Security Suite? I've gone at least 5-8 years running Windows XP Pro and haven't had an issue with a virus during that time. In the last 3 days I've had issues with AV Security Suite getting onto my systems. How the hell isn't that company or whomever is running the scam websites not getting slapped down by the police?
I'm guessing that w
The police? (Score:2)
Which police department is exactly responsible?
have you completely missed every reference to the lawlessness of the net?
there is no central authority to do what you so glibly suggest is the problem of the "Police"
Re: (Score:2)
Which police department is exactly responsible?
have you completely missed every reference to the lawlessness of the net?
there is no central authority to do what you so glibly suggest is the problem of the "Police"
When people like AV security suite have storefronts which collect and charge credit cards one would think that it's not that hard to track.
Am I being glib? It might be complicated, but this isn't exactly a difficult thing to track and given the ubiquity of Windows, isn't just harming people in a s
Re: (Score:2)
Re: (Score:2)
I see Windows on almost all the computers I come across, it must be a GREAT product since everyone has it! ;)
Oh wait...
Re: (Score:2)
I see Windows on almost all the computers I come across, it must be a GREAT product since everyone has it! ;)
It is. It even runs Linux! [cygwin.com]
Combofix (Score:1)
UBCD4Win would probably be a good tool for you (Score:1)
a) these devices are owned by the customer and have a hard drive with moving parts running Windows XP Home
b) the company wants to offer one-shot cleanups that they can run from a usb drive
If this is true, you definitely want to check this out: http://www.ubcd4win.com/ [ubcd4win.com] - this tool is designed to create bootable optical disks and also bootable USB flash drives, both to run a BartPE based Windows XP-like environment. The tool includes several virus and malware
usb optical drive (Score:2)
Yes! The old school SCAN.EXE and CLEAN.EXE (Score:5, Informative)
Back in the BBS days, from MacAffee, you could download SCAN.EXE and CLEAN.EXE and run them on DOS.
And - you still can!
Go to their website and find the command line scanner for win32. It claims to be a trial version, but with no install routine and being a command line program, that doesn't mean much. It uses the same .DAT files that you download for any other VirusScan program.
I get a huge chuckle when I run it, because it's exactly the same way it was in 1988 and that's the way it oughta be. all this other crap is fer lamos :-)
Typo! (Score:2)
McAfee [mcafee.com] (one f). :P
Re: (Score:2)
So? I am a basic spelling and grammar nazi! Do you have a problem? And good call on the "a" part.
Some To Look Into (Score:2)
Linux + clamAV (Score:2)
Vipre Rescue Scanner (Score:1)
F-Secure Rescue ISO (Score:2)
http://www.f-secure.com/en_EMEA/security/tools/rescue-cd/ [f-secure.com]
I've also had random luck getting this to work from a bootable USB drive that mounts the ISO as well.
Just a few notes (Score:2)
The way to shut them down for the moment is a clean boot of a clean verified uninfected source, something like a cd or usb if the hardware/bios permits, also, pull out the network plug, some malware will propagate to other machines over the network, even if you don't think you're accessing it.
Two things to look out for, some computers may seem to let you boot from those sources, but still load some
Bootable CD's FTW! (Score:1)
There are many anti-virus companies that offer versions of their anti-virus on bootable CD's that you can download and run for free (legally). It will take just a little bit of Google work but I know you can find ones for Avira, Bit Defender, and Kaspersky. There might be more out there but the one I use the most (I work as a PC tech cleaning out lots of viruses.) is the Avira CD. Happy virus killing!
Here you go.. (Score:2)
http://www.clamwin.com/content/view/18/46/ [clamwin.com]
And it's free!
Unlikely... (Score:2)
Not if you want the system to actually be secure. In order to effectively scan, you'll need up to date virus definitions. If you don't want to be on the network for an online scan, you probably won't want to be on the network to download definitions. If wouldn't matter anyhow, as you can't put them on the USB drive because you want to maintain write-protect. As such, even if you put the AV product on your system, you'd shortly be stuck with out-of-date definitions, unless you have some other writable me
Booting from infected drives? (Score:2)
That is a problem right there if you are wanting to boot from the infected drive THEN test.. If you can boot off the USB too, why not just boot off USB, then connect/share via SMB to a machine in your shop that has all the scanning stuff and do it from there?
Aren't you doing it wrong? (Score:2)
Seriously, you're willing to let your customers use the device when it's riddled with malware or whatever, but you want a simple and easy way to to clean them when you get one for service?
Why bother? If you're not interested in preventing the problem, it will come back.
And as some have recommended, you should work with the suits to either get a more appropriate and robust version of Windows to do what you do, or move to an OS that can be secured. I know this is not just a technical decision, so good luck
Antvir (Score:2)
Linux based, Insert-Inside Security Rescue Toolkit (Score:2)
http://www.inside-security.de/insert_en.html [inside-security.de]
It can read/write NTFS and can run CLAM AV.
I even installed it on a thumb drive with two partitions. Used from Windows, it is a data drive. Boot from it and it goes into Insert Linux Rescue.
It is pretty spartan and very small so will fit on your older thumb drives that are too small for anything else.
Stinger (Score:2, Informative)
McAfee Stinger
http://vil.nai.com/vil/stinger/ [nai.com]
Re: (Score:1)
Anyway, he then Googles and send me a list. I responded, "Yes, I've Googled myself, thank you. I asked you for your opinion because I trust you and not the thousands and thousands of random opinions - many of which are outright plagiarism of other websites and if one was BSing, then thousands were BSing too."
I would also like to point out, many many web pages are the postings by folks who are paid shills.
Re: (Score:1)
>
In short: Google does not offer trusted individual opinions and most of the reviews and opinions on the web are highly suspect.
Neither do half the jokers posting here...
It's like the old saying, if you want it done right you gotta do it yourself. That goes for researching/trying out products too... Besides IMO it's the only way for stupid people to become more self sufficient in the long run.
Re: (Score:2)
Besides, he also provides an opportunity for the rest of us to be entertained by folks like you, and the people like me who will take the bait.
Re: (Score:1)
Actually, MalwareBytes cannot be run from a flash drive, nor is it free for Corporate use.
Mbam Forum [malwarebytes.org]
If you use MBam in a corporate setting, they wish for you to obtain a corporate licence by contacting them at:
Mbam Corporate Licensing [malwarebytes.org].
Nope, I'm not affiliated with them, just another satisfied fan.
Re: (Score:2)