Hi *,
I have an idea for such thing... As now there is a big threat of viruses, which distribute using USB disks (INF/autorun) ...
What if there will be option in ClamWin : "Run scan after USB device connects"

I think, that it is relative simple to implement : catch WM_DEVICECHANGE message with WParam=DBT_DEVICEARRIVAL
and then run scan for that new drive (may be in foreground ... to notify user, that scaning is performed)

It will be very useful feature (in middle-time until realtime protection)

TIA
-Laco.

I've tested such feature, but until clamscan is used and it needs to load all db everytime it's a bit unfriendly

I have noticed that a lot of the USB infectors are fairly new. The Clam daily database is much smaller than the main database and it contains signatures that are two to three months old that haven't yet been merged into the main database. You might be able to still provide some good security at a faster speed if you only loaded the daily database to scan USB.

Regards,

the code I've tested is for clamtray, perhaps we already have a python module that scans in outlook plugin, the problem is that then clamtray will eat additional 100mb or more ram to handle db
using daily only can be an idea, but does not like the best security
usb scanning could be suitable when clamwin becomes client/server like using clamd, this does not mean wait real time scanner
unfortunately we are only 2 developers following clamwin as spare time job

Yes, that's a big drain on the system.

There is a very small free app called Autorun Eater from Old McDonald's Farm at https://oldmcdonald.wordpress.com/ on the web. I used it for awhile when working malware to monitor the USB, but I quit using it because a lot of USB malware is persistent and keeps coming back. It did nothing to find/stop the process that kept putting it on the USB. It's very good at warning you, however, that there is something on the USB that doesn't belong.

Regards,

And what do you think about this idea "Remove executable contents from USB"
At insertion of USB disk clamtray will delete from usb disk all exe, com, bat, vbs, inf etc. files, which may contain virus.
May be "drastic solution", but in company environments very useful, as for example our company policy prohibits using usb disk for executable - dangerios contents.

That is probably a good idea if your company prohibits USBs at work but it wouldn't work for an individual's PC--they have all sorts of stuff on USBs now.

Here are the files I have seen that are most likely to be malicious on USBs: *.inf, *.html, *.png, and *.jpg/*.gif. The malicious jpg/gif files are actually .exe files that pretend to be graphics files, but they will run when clicked on.


Regards,

Actually, a scan with the daily database instead of the entire Clam database might provide better protection than you would think. See this: https://www.net-security.org/malware_news.php?id=1087 on the web. Seems like the average Clam submission I see from users is apt to be in the 24 hour category. The following night I will see it again, but it has been changed enough so that the old signature is unable to detect it, and a new sig is required. I think if the virus writers put a lot of effort into it, it stays around longer. Anyway, Clam's daily database is kept around for 3/4 months until it is included in the main database, so if you have one of these 24 hour viruses, the chances of finding it is actually pretty good.

Regards,

Yes, then what about adding multiple options:
"When new USB storage device attached":
- Do nothing
- Automaticaly scan
- Ask user if scan ("New USB sotrage device attached. Do you want scan it with ClamWin Free Antivirus?")
- Remove (or Quarantine) executables

What is difference between automaticaly run ClamScan by ClamTray and manual by user using Explorer context menu "Scan with ClamWin Free Antivirus" ? I think, that both cases will run same process and will use same memory ?

L.

yes
maybe a summary parse of autorun.inf can show if it launch something suspicious
like "autorun.inf would launch executable x"

good idea! should be implementd.

Hi all,
Still looking for someone to help me on this: I need to have a virus scanner put in a USB disk, think Clam is good for this but how do I go about it? Can it update itself online, Please help..

Sure, you can put ClamWin on a USB drive. I have it on mine. Go to this page on the ClamWin site: https://www.clamwin.com/content/view/118/89/ on the web. There are two options: install ClamWin Portable from the ClamWin Portable website or build your own from Alch's instructions. It is easier to install ClamWin Portable. Be sure to read/follow the instructions, whichever method you use. After installation, you just run it from the USB, and you can get the signature updates, scan or do the same as with ClamWin on C drive.

It's pretty handy, but you are still working from the Windows OS on your computer, so some malware could still hide from you even if there is a signature for it. I don't know if you can use it in Safe Mode, which might catch some of it.

Regards,