Not to offend anyone, but I rather tech people answer this thread only to preserve the informative value of this post. Others can benefit of this information. Thank you.
Purpose of this thread: safe usage and prevention of a USB stick's content - soft/documents - when used in Internet Coffee shops and on companies networked computers (no policy on external devices here, and admin right on the networks).
In fact it is a board question and I don't even know how to formulate it, but:
How do I get infected
How do I see when I get infected
What to do when I get infected
Etc.
Let's get to it:
I can't use a sandbox or HIPS from my USB since none are portable at my knowledge - they need to access the kernel and install their drivers. I can't use a real time protection since no one is portable - Clam AV is only on-demand scan at the moment. So much for the prevention.
When I plug my USB, I should be a target for Virus, Worms, Trojan, etc. So, how can I see them, get ride of them, once I plug the USB back on my computer.
As a safety rule, the autorun feature should (MUST) be disabled on every system. Not too hard to achieve, you can even find the correct M$ KB which corrects the first incomplete procedure. (as a side note, beware some blogs with their "registry hacks to kill the autorun feature" they are not always accurate).
Alright, so now your infected USB won't jump at you with a ton of malware when you plug it in (that's an image).
What about the rest?
Q1: Is it better to do an on demand scan on the system you are pluged-in (internet coffee shop/networked PC) before to remove the USB, or to do a on demand scan only once you are back home and plug the device on your own PC?
Q2: How can you see, looking at the content of your USB, that an infection has occurred?
Q3: Doing a full scan of a USB using e.g. Clam takes quite a time. I can not spend 45 min.-1 hours scanning anytime I plug my USB in a different machine. Moreover scanning over and over will reduce you device's life. What would you advice?
Q4: in the even of an infection, will the documents also be infected? Would you recommend setting some important information as Read-only to prevent a virus contamination - at least you can save these pieces before reformatting. Can a malware overwrite such permissions - I guess they will...
Q5: When you are plugging back the USB on you PC, if you have a warning of an infection from you AV, or worse, if you have NO warning of infection but your HIPS gives you an alarm of an unexpected activity (zero day infection). What do you do? Erase and reformat, try to save: how, what? It is very difficult to fight a malware already in your system - well, even only on your USB - since you will not know what to look for and what modification has occurred. Correct me if I am wrong.
Q6: Let's be realistic: so far, 90% of the malware I have came across where executable. They needed a user action to execute or the autorun function. Can I have some example of malware infections (what happened/what changed/etc.) and if you could see the malware when you plugged your USB stick and open the PortableApp.com platform GUI? Also, is it safe practice to first open the USB stick with Explorer to check its content?
Q7: fell free to relate you experience and advice. I am out of questions.
Visit the Community page
Join our forums
Subscribe to our email newsletter
Subscribe with RSS
Follow us on BlueSky
Follow us on Facebook
Follow us on LinkedIn
Follow us on Mastodon
Follow us on Twitter
Well i know from experience at school computers, one usually knows they are infected by noticing lag times in the ability to open their usb up. Then also by seeing a hidden autorun.inf file that wont allow you to open it in any way. (But not all autorun.inf's belong to a virus). And you are right most usb infections happen through a user interacting with something that would execute a file of some kind that would infect your usb. I dont really think you have to worry about documents or anything getting infected unless the malware/virus has a way of injecting nasty code into it. if you were to get infected I would recommend you probably going into safe mode, i believe when u are in safe mode autorun is disabled. Then you can just scan it or go into the drive and manually delete the malware files and its autorun.inf if it created one. Most of the time a virus or malware file usually resides in the root of the drive, im assuming because its easier to get itself to infect other things. If you had a switch to enable readonly for a usb i would probably recommend you doing that to prevent anything from writing to it that could harm/delete files on your usb. I would be really cautious about opening your usb after putting it into a personal computer especially if its infected with virus/malware that has a way to "shell execute". Cause once you open up your drive to view your files, malware/virus's will execute and can hide on your computer anywhere and ive had some hide on other drives, so if you just scan your local "C:" drive that would be useless if it removed it cause it would just recopy itself from another drive. If i think of anything else to say ill come back and leave another comment. Just be cautious about what you open up, usually most infections on ones computer comes from them downloading illegal files off of the internet so if you have any doubts about the source where its coming from just dont download it as its not worth the time nor the effort and also the headache of removing malware from your computer. Hope this answered some of your questions
An eye for an eye makes the whole world blind.
Mahatma Gandhi,
Indian political and spiritual leader (1869 - 1948)
A1: It's better to do it on any pc that doesn't save settings and no internet, kill the internet temp before you plug it in... some coffee shops and library's don't save the guest accounts settings, check to make sure. Once in, disable the internet temporarily. This is better because it can't effect the comp you're using. Just something without admin privs or internet.
A2: Normally you can't, but that deepends on the virus. Enable hidden files and opperating system files in the Folder Views. Control Panel --> Folder Views --> Views. I found a file with a swear in it once, when I was infected. And if you see files you never made, or you're sure a program didn't make, you have a virus. They hide into .exe's or make themselves hidden files.
A3: I advice reformatting the whole thing. Scan personal files and keep those, save the "Data" folder of all the apps to scan. Then reinstall and copy the Data folder back.
A4: They can overwrite those permissions. And no, thge read-only attribute will not protect, them.
A5: Read A 2
A6: They don't NEED user-actions. A good virus from some proffesional virus maker has a way of oppening it by itself.
A7: I'm out
This is what I am doing now.
1. I have installed Panda USB Vaccine (to prevent the auto-run function on the USB) - alternative I launch the USB + shift key (disable auto run)
2. I did, but don't do it now for a question of time and resource usage, scan the host computer with my USB AV.
3. I do however scan my USB stick with Clam AV after a portable session, before to remove it from the host PC.
4. I also inspect the USB content (folders) for any suspect files before removing the USB from the host PC.
5. Upon connecting to my PC - I scan the USB with my AV (Antivir) and with my anti-malware (Malwarebyte).
Feel free to comment. Thanks