×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Stand-Alone Antivirus Software?

timothy posted more than 2 years ago | from the lonely-job dept.

Security 159

An anonymous reader writes "I work for a company that repairs specialty devices that have an embedded Mini-ATX motherboard without a CD-ROM drive and run Windows XP Home. And while the USB flash drives we insert into them have a physical write-protect tab, we still encounter a (rather annoying) display dialog from malware/viruses to remove the write-protect so the malware can infect the flash drive. We don't remove the write-protect, obviously, but would like to offer our customers the option of removing the malware/virus without having to install any software. We would rather not install/uninstall antivirus software even for one-time use, due to various licensing issues, nor do we want to connect to the Internet to use web-based online scanners. Is there any stand-alone anti-virus/anti-malware software for Windows that can be run directly from the write-protected flash drive itself?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

159 comments

Good Luck! (2)

Dr.D.IS.GREAT (1249946) | more than 2 years ago | (#32683166)

the boyz and i have tried to figure out a solution to that same problem. AVG has a linux based rescue cd as well as some other guys, it could easily be adapted to a usb disk

Re:Good Luck! (0)

Anonymous Coward | more than 2 years ago | (#32684706)

the boyz and i have tried to figure out a solution to that same problem. AVG has a linux based rescue cd as well as some other guys, it could easily be adapted to a usb disk

The AVG rescue system can be put on a USB stick. There's a link [http://www.avg.com/us-en/avg-rescue-cd-download] on their download page.

ClamWin (4, Insightful)

vbraga (228124) | more than 2 years ago | (#32683174)

A portable version of ClamWin may do the trick.

http://www.clamwin.com/content/view/118/89/ [clamwin.com]

Re:ClamWin (1)

pmsr (560617) | more than 2 years ago | (#32683226)

It won't do the trick. ClamWin doesn't remove malware or viruses.

Re:ClamWin (3, Informative)

Anonymous Coward | more than 2 years ago | (#32683310)

Yes it does, but you have to turn on the removal feature first (defaults to report-only). SuperAntiSpyware and MalwareBytes also have portable versions (I think MalwareBytes' portable version may be an unsupported mod, though.)

and spyware detected/removed this way (2, Informative)

Ilgaz (86384) | more than 2 years ago | (#32684834)

It isn't very widely known but, clamav doesn't detect "spyware" by default. If you pass '--detect-pua' (potentially unwanted apps) to its arguments, it will detect them too.

Of course, in this situation, if he "fixes" the computer via removing spyware and idiot customer jumps up and down saying "his mp3 downloader is broken", it will cause some issues. That is why most antiviruses stay away from detecting spyware by default.

Re:ClamWin (1)

Monkeedude1212 (1560403) | more than 2 years ago | (#32683388)

Works for me, 60% of the time, every time.

(The other 40% are when we come across old Bios versions that don't allow you to boot from the USB).

and another link (1)

Ilgaz (86384) | more than 2 years ago | (#32684794)

I really think with such usage and money is being made

http://www.clamwin.com/content/view/180/105/ [clamwin.com] (donation)

and of course, same donation to clamav(.net), the "real thing" should be made.

People may think such famous projects are swimming in donations money but it is generally not the reality. There is no license confusion there either, it is free but donations accepted, whatever money you feel like. In TV business, I sometimes see ffmpeg being used in million dollar projects without a cent of donation, it really pisses me off. I bet little shops are way more ethical.

Re:ClamWin (0)

h3llfish (663057) | more than 2 years ago | (#32685072)

I'm called on to remove malware frequently (at least once a week), and it's been my experience that ClamWin misses more malware than it catches. Plus, if your flash drive is write-protected, then how can you update to the latest definitions? If you aren't using the latest definitions, again, you're probably going to leave some malware behind. If you're able to update the flash drives frequently, then that second one is not an issue.

ClamAV (0)

Anonymous Coward | more than 2 years ago | (#32683182)

Clamav portable?
http://portableapps.com/apps/utilities/clamwin_portable

clamav (1)

simcop2387 (703011) | more than 2 years ago | (#32683184)

While it won't catch everything, clamav i believe can be setup on the usb drive to be used that way.

Re:clamav (2, Insightful)

toastar (573882) | more than 2 years ago | (#32683304)

While it won't catch everything, clamav i believe can be setup on the usb drive to be used that way.

Nothing will catch everything, The second you write it to disk your virus definitions will be out of date.

Re:clamav (4, Informative)

csrjjsmp (819838) | more than 2 years ago | (#32684378)

Other programs will catch 98-99%. Clamwin is lucky to catch 30.

Re:clamav (2, Insightful)

profplump (309017) | more than 2 years ago | (#32684550)

99% of what? The viruses they have definitions for? There's not a product on the market that catches 99% of all viruses.

You might make a comparison of the number of entries in their definitions library, or the different techniques each has available to match the various types of obfuscation in use, but a claim of catching 99% is both meaningless and unsupportable.

Re:clamav (1)

Bryansix (761547) | more than 2 years ago | (#32684844)

Actually besides missing a lot of viruses my problem with ClamAV or ClamWin was the false positives that would quarantine critical system files making computers unbootable.

Re:clamav (0)

Anonymous Coward | more than 2 years ago | (#32684574)

While it won't catch everything, clamav i believe can be setup on the usb drive to be used that way.

Nothing will catch everything, The second you write it to disk your virus definitions will be out of date.

Don't you mean the day before they made the definitions available your virus definitions were out of date?

Clamwin (2, Interesting)

Kissing Crimson (197314) | more than 2 years ago | (#32683188)

I have thumbdrive with Clamwin just for this purpose. I remove the write-protect when I need to update the virus definitions, then flip it back before inserting in a suspect PC. Works great.

Dr. Web CureIt (0)

Anonymous Coward | more than 2 years ago | (#32683190)

Just update it periodically from the internet and it's a single file AV scanner that seems to do a half-way decent job of rooting out a lot of common viruses/trojans/adware.
http://www.freedrweb.com/cureit/?lng=en

U3? (1)

stevel (64802) | more than 2 years ago | (#32683202)

I know that U3-enabled flash drives can run AV scans directly from the flash drive. I don't know if this requires that some part of the drive be writeable. U3 drives appear as a CD-ROM plus a separate flash drive. http://en.wikipedia.org/wiki/U3 [wikipedia.org]

Re:U3? (1)

ushering05401 (1086795) | more than 2 years ago | (#32683500)

Running a U3 drive is asking for trouble. I don't know of any portable storage technology that has more malicious payloads available for free download on the net. The problems have been detailed widely... I stopped using U3 devices after an article in 2600 (Winter07/08) got me looking into the technology. I absolutely could not believe what my research uncovered.

UBCD (5, Informative)

0racle (667029) | more than 2 years ago | (#32683216)

http://www.ubcd4win.com/ [ubcd4win.com]

There are several AV products that can be slipstreamed into it, and there are instructions on installing the Ultimate Boot CD onto a thumbdrive, which is handy for keeping AV signatures up to date.

Re:UBCD (0)

Anonymous Coward | more than 2 years ago | (#32683446)

Just what I was gonna suggest. You beat me to it, you bastard.

Re:UBCD (2, Funny)

Anonymous Coward | more than 2 years ago | (#32683652)

12 people in a row suggested ClamWINAV... I think /. will survive 2 UBCD recommendations...

One option might be... (2, Informative)

coerciblegerm (1829798) | more than 2 years ago | (#32683218)

You could try something like F-Prot or Panda Commandline scanner, and just update the definition files on your USB drive manually from time to time.

Re:One option might be... (-1, Troll)

Anonymous Coward | more than 2 years ago | (#32683598)

So, question: If I use Panda am I supporting Scientology or did they really distance themselves from the CoS after French Media outed them?

Re:One option might be... (1, Interesting)

Anonymous Coward | more than 2 years ago | (#32683750)

Agree. F-Prot is cross platform. That means you might have success booting a Linux distro on flash with f-prot installed, updating its virus definitions, and then scanning the infected blob, oops, I mean Windows.

Another option for a standalone scanner is bart-pe. Pay attention to treatment of registry objects, though.

Re:One option might be... (1)

Hatta (162192) | more than 2 years ago | (#32684306)

That's exactly what I was going to say. F-Prot is good shit. Load it on a live USB image (unetbootin is your friend) and you're good to go.

Another thing worth mentioning... From what I've read, the write protect tabs on USB flash devices are implemented in software, not hardware. It would be entirely possible for a compromised PC to load a driver that ignores that flag. Perhaps a USB CDROM would be safer.

Your post doesn't make sense. (1)

GNUALMAFUERTE (697061) | more than 2 years ago | (#32683228)

100% of the system is read only? I assume you are using a ramdrive or something like that for tmp files and the like? I don't know shit about windows, but I don't think it's going to run without any kind of writable space.

OTOH, if you want a simple solution to this issue, and the system is read-only, I think your simplest antivirus solution is called "reboot".

Of course, you should be looking into running GNU/Linux in this babies. It certainly runs better on Atom than windows ever will.

Re:Your post doesn't make sense. (1)

Monkeedude1212 (1560403) | more than 2 years ago | (#32683436)

His USB is read only, not the system. He wants to RUN an antivirus without installing it on the computer. Which is possible, the most common around are boot CD's (or live CD's), where you boot up an antivirus operating system instead of the windows on your hard drive, from a CD-Rom you insert. His problem was that the computers don't have CD Rom's, so he's looking for the equivalent with a USB stick, which there are still quite a few of.

The problem he'll likely run across is an out of date BIOS that doesn't support booting from USB.

Re:Your post doesn't make sense. (1)

ushering05401 (1086795) | more than 2 years ago | (#32683800)

I use PXE for stuff like this, or a simple tftp server for embedded devices. As long as you don't get stuck needing to work with emdeb crush (arm) the custom roll is the hardest part and even that is dead simple these days.

Re:Your post doesn't make sense. (1)

TheClassic (816274) | more than 2 years ago | (#32683460)

100% of the system is read only? I assume you are using a ramdrive or something like that for tmp files and the like? I don't know shit about windows, but I don't think it's going to run without any kind of writable space.

OTOH, if you want a simple solution to this issue, and the system is read-only, I think your simplest antivirus solution is called "reboot".

Of course, you should be looking into running GNU/Linux in this babies. It certainly runs better on Atom than windows ever will.

The flash drive is a read only maintenance tool. The system is not read only. He wants something that he can run from the flash drive.

Re:Your post doesn't make sense. (1)

Intron (870560) | more than 2 years ago | (#32683644)

If the system were 100% read only, how would it have gotten infected?

Re:Your post doesn't make sense. (2, Funny)

Fwipp (1473271) | more than 2 years ago | (#32683754)

TFS says that they come preinstalled with the variant colloquially known as Windows XP Home.

Use Windows Embdded, not XP Home (5, Insightful)

MobyDisk (75490) | more than 2 years ago | (#32683246)

I work in a similar environment, and although I can't recommend a virus program, I can suggest ways to prevent it. It sounds like the company is creating an embedded device, but is not using an embedded operating system. Microsoft Windows embedded forbids writes to the C: drive when you enable EWF or FBWF. EWF gives you a memory overlay so software *can* write to C:, but if you get infected, you just reboot the machine. Alternatively, a good Micro-ATX BIOS will support making the drives read-only.

Re:Use Windows Embdded, not XP Home (1)

camperdave (969942) | more than 2 years ago | (#32683684)

Microsoft Windows embedded forbids writes to the C: drive when you enable EWF or FBWF. EWF gives you a memory overlay so software *can* write to C:, but if you get infected, you just reboot the machine.

Any way I can put that tech on regular XP?

Re:Use Windows Embdded, not XP Home (3, Informative)

Ramze (640788) | more than 2 years ago | (#32683852)

I've found the "Shared Computer Toolkit for Windows XP" can be very helpful at locking down exactly what can be changed on an XP build... including allowing changes, but wiping them after a reboot.
http://www.microsoft.com/presspass/newsroom/winxp/SharedToolkitFS.mspx [microsoft.com]
It's now called "Windows SteadyState 2.5"
http://www.microsoft.com/downloads/details.aspx?familyid=d077a52d-93e9-4b02-bd95-9d770ccdb431&displaylang=en [microsoft.com]

Re:Use Windows Embdded, not XP Home (2, Informative)

saverio911 (997619) | more than 2 years ago | (#32683974)

I use EWF (which stands for Enhanced Write Filters) on my XP machine in my car. It works very well up to the point where the tempory space when the cached disk writes overrun the memory buffer. It has only happened once when I forgot to turn off EWF to install something. The directions I used are located on MP3Car.com. (http://www.mp3car.com/vbulletin/winnt-based/38484-new-ewf-minlogon-cf-instructions.html)

alot of that custom software does not like lock do (1)

Joe The Dragon (967727) | more than 2 years ago | (#32684228)

alot of that custom software does not like lock down and some of them likes to store logs / other stuff that will get lost with that reset C: on reboot and no it's not easy to make it put that stuff on a other disk / some of it was coded for windows 9x and no they will not make it work for UAP / limited user.

Also turning off admin will not work for a lot of that software as well.

Re:Use Windows Embdded, not XP Home (0, Troll)

Hurricane78 (562437) | more than 2 years ago | (#32684546)

Why not just use Linux, and solve the antivirus problem too. Duh.

But hey, to each his own. If they like masochism, I’m not stopping their “fun”. ^^

So let me get this straight... (2, Interesting)

Marx_Mrvelous (532372) | more than 2 years ago | (#32683258)

Instead of protecting the device proactively by using some sort of AV, application whitelist, or other device control, you want to let them keep getting infected, over and over, so your users have to keep using the USB device to remove the malware infections over and over? Brilliant.

Re:So let me get this straight... (0)

Anonymous Coward | more than 2 years ago | (#32683344)

Gives you repeat customers...

Re:So let me get this straight... (2, Informative)

Anonymous Coward | more than 2 years ago | (#32683404)

There's a difference between Service Provider and Solution Provider

Re:So let me get this straight... (0)

Anonymous Coward | more than 2 years ago | (#32683430)

Yes, I think you're onto something there. In the long run, you will want to put your efforts into prevention, rather than cleanup. As posted above, try an embedded OS, such as windows XP Embedded, which keeps the hard drive non-persistant (Using flash or ram as temp space, I forget). Or, if that's not an option, maybe look into setting up some kind of quick imaging suite?

Re:So let me get this straight... (2, Funny)

BitZtream (692029) | more than 2 years ago | (#32683658)

It is brilliant if your just a service tech thats paid to 'fix the machine' and can't actually do anything to 'fix the machine'

As an example: Windows XP used for photo printing boths are various 1 hour photo places. They Joe the plumber plugin a flash device and print his pictures.

They are made by SomeBigCompany, but the phamacy down the street has one and needs it repaid, so JohnTheRepairMan comes to fix it. Can't fix the fact that it loads the autorun on flash devices even though its not supposed to because SomeBigCompany says no, and if he does it anyway, SomeBigCompany not continue to consider him an 'authorized repair man'.

John however is allowed to say 'its got a virus, reimage or repair'.

John just wants a way to speed up his 'reimage/repair' calls since he isn't actually allowed to do something to fix the problem.

John wins twice. A) He spends less time on a call that he gets paid a fixed price for anyway, so more profit and more importantly B) because SomeBigCompany doesn't care about the wasted cash, John gets to continue making a living.

John doesn't want it fixed. Its not his fault. He's not allowed to fix it. He is in the position to be the customers hero and have the customer thank him while he takes money from them for something he could actually make not happen again.

From Johns perspective ... it is brilliant, and he's not even doing anything mildly wrong or immoral.

Sometimes your perspective on the problems you see here on slashdot is ... incomplete at best.

Re:So let me get this straight... (1)

irishdaze (839248) | more than 2 years ago | (#32684934)

I've never seen a more accurate description of my life in large-enterprise corporate desktop support. Wow. Just freaking wow.

Re:So let me get this straight... (1)

Grishnakh (216268) | more than 2 years ago | (#32683888)

The customers are probably stupid. They're running Windows XP Home, after all. The guy could try to sell them AV software, but they'll probably whine that it costs too much or they don't want to spend the money. He's trying to be helpful by cleaning his customers' systems without requiring them to buy additional software licenses.

Don't ever underestimate the stupidity of customers.

Re:So let me get this straight... (3, Interesting)

tinkerghost (944862) | more than 2 years ago | (#32684136)

Don't ever underestimate the stupidity of customers.

Techs doing residential work live on it. Face it, nothing involved in doing a virus removal is rocket science. I had a customer who used to call me every other month to clean up their son's computer. Now the son's at college and it's someone else's goldmine.

Jon R. (0)

Anonymous Coward | more than 2 years ago | (#32683308)

Use MBAM. I'm pretty sure you can load it onto a flash drive and have it run a full scan. It's free, and the most effective spyware/malware cleaner I've used. It doesn't take any Guff, it will kill processes, delete executables, and restart if neeeded, with your permission, of course. It will actually remove threats, rather than just telling you about them, even those new nasty ones that launch several EXE's and even services.

Re:Jon R. (1)

mike.rimov (1148959) | more than 2 years ago | (#32683736)

Actually, MalwareBytes cannot be run from a flash drive, nor is it free for Corporate use.

Mbam Forum [malwarebytes.org]

If you use MBam in a corporate setting, they wish for you to obtain a corporate licence by contacting them at:

Mbam Corporate Licensing [malwarebytes.org] .

Nope, I'm not affiliated with them, just another satisfied fan.

Re:Jon R. (1)

HikingStick (878216) | more than 2 years ago | (#32683904)

I'm a big fan of MBAM, but I've encountered more and more nasties lately that kill MBAM, even if the executable is renamed and the program is installed in an alternate location. The bad guys know it has been an effective tool, so they are working extra hard to beat it.

Bart sounds like your best bet (0)

Anonymous Coward | more than 2 years ago | (#32683314)

Discounting for a minute the questionable practices of a company that makes a specialty product that comes with XP Home of all things on it...

Your best bet is probably some kind of BartPE or WinPE based system that boots via USB.

I like "The Ultimate Boot CD for Windows"

http://www.ubcd4win.com

It might have some tools on there that you'll need to make sure don't make it onto your USB drive for licensing related reasons if you're a business, but it has good support for a wide array of hardware configs and a whole lot of really useful tools for dealing with both Virus and Spyware varieties of Malware. It also comes with a tool that'll pop it onto a USB drive with a few easy clicks.

Spybot S&D perhaps? (0)

Anonymous Coward | more than 2 years ago | (#32683332)

Unless I'm totally mistaken I believe you should be able to copy a folder you have installed Spybot Seach & Destroy to over to a USB drive and run it just fine from there.

Bitdefender is a darn good product (2, Informative)

jeffmeden (135043) | more than 2 years ago | (#32683350)

How about using the BitDefender rescue disk, (available in ISO format, but portable to a USB key) and asking the customer to reboot the PC and allow it to boot entirely from the USB key?

Licensing may be a grey area on that one though, depending on how widely you are distributing it.

One problem with using a windows application is that it may be up against a virus that is entrenched and will simply stop the cleaning from taking place. If this is the case, you need something that will activate on boot, or better yet boot on it's own (like the Bitdefender.)

There is probably a more elegant solution though, since this is a highly controlled environment. Maybe more restrictive user level controls are in order, forcing the users to log in with minimal privileges?

You did ZERO reaserch on your own... (-1, Troll)

drew_92123 (213321) | more than 2 years ago | (#32683360)

If you had taken even just 15 minutes of your own time with google you would find MANY malware removing apps that can run as standalone or as modules in things like BartPE.

Learn how to use google and stop wasting other peoples time...

Re:You did ZERO reaserch on your own... (-1, Flamebait)

Anonymous Coward | more than 2 years ago | (#32683506)

You're a Fucking Dick dude. YOU wasted your time be replying dip shit. You didn't have to even fucking read it you tard. Now YOU have wasted MY TIME... Booo hooooo hoooooo.....now I'm a victim....

Re:You did ZERO reaserch on your own... (1)

AnonymousClown (1788472) | more than 2 years ago | (#32683674)

I once asked someone about different companies for a service - what service and why is beside the point.

Anyway, he then Googles and send me a list. I responded, "Yes, I've Googled myself, thank you. I asked you for your opinion because I trust you and not the thousands and thousands of random opinions - many of which are outright plagiarism of other websites and if one was BSing, then thousands were BSing too."

I would also like to point out, many many web pages are the postings by folks who are paid shills.

In short: Google does not offer trusted individual opinions and most of the reviews and opinions on the web are highly suspect.

Re:You did ZERO reaserch on your own... (1)

drew_92123 (213321) | more than 2 years ago | (#32684204)

>

In short: Google does not offer trusted individual opinions and most of the reviews and opinions on the web are highly suspect.

Neither do half the jokers posting here...

It's like the old saying, if you want it done right you gotta do it yourself. That goes for researching/trying out products too... Besides IMO it's the only way for stupid people to become more self sufficient in the long run.

Re:You did ZERO reaserch on your own... (1)

HikingStick (878216) | more than 2 years ago | (#32683864)

But by posting here, the author garners reviews and opinions from other users, and that information takes a lot more time to track down than simply pages noting that a specific tool can be run from a bootable device.

Besides, he also provides an opportunity for the rest of us to be entertained by folks like you, and the people like me who will take the bait.

Maybe this? (1)

Magycian (121354) | more than 2 years ago | (#32683372)

I've recently switched my company over to Sunbelt Systems VIPRE.
One of the triggers for this was how well this worked...
http://vipre.malwarebytes.org/ [malwarebytes.org]

I've used Malwarebytes in many places but the standalone scanner from Vipre is pretty impressive.

You have lots of Options (1)

RedLeg (22564) | more than 2 years ago | (#32683378)

We would rather not install/uninstall antivirus software even for one-time use, due to various licensing issues, nor do we want to connect to the internet to use web-based online scanners. Is there any stand-alone anti-virus/anti-malware software for Windows that can be run directly from the write-protected flash drive itself?"

There many anti-virus vendors that offer free downloadable rescue disks that you can boot from and scan your system. F-Secure, Panda, Avira, AVAST, Bitdefender come to mind. McAfee offers an executable called Stinger.exe and Microsoft’s installable Microsoft Security Essential is free.

Try any one of those programs from a reputable security software vendor, there are more than listed above.

I have used Kaspersky for this purpose (1)

Zarf_is_with_you (1382411) | more than 2 years ago | (#32683386)

http://www.kaspersky.com

They have a tool you can create from a working installation, it creates a boot-able CD (PE) that you can clean a system with, I found it works very well. I would imagine it could be installed on boot-able flash disk as well.

I have found it useful when you don't want to boot up a infected system.

Its is able to update virus/malware definitions if it has the necessary network driver available.

You and/or your customers are RETARDED (0)

Anonymous Coward | more than 2 years ago | (#32683412)

"nor do we want to connect to the internet to use web-based online scanners"

Why *not* connect to the internet - your retarded customers obviously have been...

BTW, a LART is a proven antivirus solution; the next time a customer brings in a fux0red machine, apply the LART until the screaming stops.

SysClean from trendmicro (1)

EkriirkE (1075937) | more than 2 years ago | (#32683458)

I've had great success with SysClean from trendmicro [trendmicro.com] . It's free and may be a bit unintuitive how to get the files required, but it has worked greatly for me in the past for malware that disable AVs and requires no isntallation.

SUPERAntiSpyware Portable (3, Informative)

DodgeRules (854165) | more than 2 years ago | (#32683466)

http://www.superantispyware.com/portablescanner.html [superantispyware.com] I have had good luck with this. Hope you do too.

Re:SUPERAntiSpyware Portable (2, Funny)

Pharmboy (216950) | more than 2 years ago | (#32683720)

I see Antivirus 2010 on half the computers I come across, it must be a good product since everyone has it! ;)

Re:SUPERAntiSpyware Portable (1)

IndustrialComplex (975015) | more than 2 years ago | (#32684238)

I see Antivirus 2010 on half the computers I come across, it must be a good product since everyone has it! ;)

Is that one of those fake anti-virus hostage programs like AV Security Suite? I've gone at least 5-8 years running Windows XP Pro and haven't had an issue with a virus during that time. In the last 3 days I've had issues with AV Security Suite getting onto my systems. How the hell isn't that company or whomever is running the scam websites not getting slapped down by the police?

I'm guessing that whoever is behind it likely was banking on the Flash vulnerability and served it through infected advertisements. Family members came to me in droves due to this bastard program. Normally auto-update is fast enough to patch before they get hit, but not this time. Never before have I wanted to physically harm the writer of a virus so much. Cleaning it out of a system was a pain in the ass. For the most part I just gave up and just reimaged the machines.

Sorry for the rant, but going 5 years without any major incidents really made this one bug me. (that and as far as I can tell, it came from ads served on reputable sites)

The police? (1)

way2trivial (601132) | more than 2 years ago | (#32684610)

Which police department is exactly responsible?

have you completely missed every reference to the lawlessness of the net?

there is no central authority to do what you so glibly suggest is the problem of the "Police"

Re:SUPERAntiSpyware Portable (0)

Anonymous Coward | more than 2 years ago | (#32684114)

This link is bullshit. The download is a .COM file and when you run it, it takes you to all kinds of bullshit webpages. Thanks a lot, asshole.

Re:SUPERAntiSpyware Portable (1)

techvet (918701) | more than 2 years ago | (#32684618)

To "Anonymous Coward": This is a .COM because most viruses can't infect a .COM file. I haven't used the portable version myself, but can attest to the regular version working well. http://www.technibble.com/superantispyware-portable-repair-tool-of-the-week/ [technibble.com]

Re:SUPERAntiSpyware Portable (1)

irishdaze (839248) | more than 2 years ago | (#32685048)

Hats off to you, techvet. I wouldn't have been able to be so civil in my answer to flame.

Combofix (1)

Dega704 (1454673) | more than 2 years ago | (#32683540)

I use Combofix. It has to be able to connect to the Internet to update, though. Unless you want to constantly download the newest version onto the drive.

UBCD4Win would probably be a good tool for you (1)

Yaddoshi (997885) | more than 2 years ago | (#32683554)

From what I understand the article states:

a) these devices are owned by the customer and have a hard drive with moving parts running Windows XP Home

b) the company wants to offer one-shot cleanups that they can run from a usb drive

If this is true, you definitely want to check this out: http://www.ubcd4win.com/ [ubcd4win.com] - this tool is designed to create bootable optical disks and also bootable USB flash drives, both to run a BartPE based Windows XP-like environment. The tool includes several virus and malware scanning utilities. It used to support Clamwin but does not currently include it, however I believe that can be added if needed. Hope that helps.

Drweb (0)

Anonymous Coward | more than 2 years ago | (#32683688)

You can try Drweb CureIt - http://www.freedrweb.com/cureit/?lng=en
They also have live CD version - http://www.freedrweb.com/livecd/

Both are usually updated daily.

usb optical drive (1)

soundguy (415780) | more than 2 years ago | (#32683712)

If the device has a USB port, you can just plug in a USB optical drive and use any old AV boot disk. there's no reason to restrict yourself to just thumb drives.

ClamAV sucks (0)

Anonymous Coward | more than 2 years ago | (#32683876)

I see all the mentions of ClamAV but I have tested it and it pretty much fails at detecting everything. I used to use it all the time but I recently had a rash of family members with infected computers and ClamAV failed to detect anything at all on those machines.

To be honest the built-in Microsoft malware scanner works pretty darn good.

Do those "physical" write protect switches really physically protect it or is it just a flag for the OS to write protect it? (ie. software write protect) If it's just a software write protect then that ain't gonna do shit.

Yes! The old school SCAN.EXE and CLEAN.EXE (5, Informative)

Saint Stephen (19450) | more than 2 years ago | (#32683882)

Back in the BBS days, from MacAffee, you could download SCAN.EXE and CLEAN.EXE and run them on DOS.

And - you still can!

Go to their website and find the command line scanner for win32. It claims to be a trial version, but with no install routine and being a command line program, that doesn't mean much. It uses the same .DAT files that you download for any other VirusScan program.

I get a huge chuckle when I run it, because it's exactly the same way it was in 1988 and that's the way it oughta be. all this other crap is fer lamos :-)

Some To Look Into (1)

pgn674 (995941) | more than 2 years ago | (#32683972)

I don't have any write-protect drives on me right now, but I think these may have worked in the past: ComboFix, Dr.Web CureIt!, and... oh, that's it. In your search, try looking for 'portable' versions of your favorite virus scanners; that's what they usually call the kind that can run off flash drives, and some may work on write-protect ones. BTW, if you're worried about licensing, running from a locked flash drive may not clear you automatically. When you run the program, it kind of "installs" to RAM, and if it needs to perform a reboot, it may write some stuff to hard drive, not to mention the log files that may be written to HDD.

Linux + clamAV (1)

tinkerghost (944862) | more than 2 years ago | (#32684000)

I have a USB stick with Linux & TWM. It's some variant of Debian. I have it set up with clamAV and I run FreshClam before going out for a job. I made sure I have a CD that I can boot & chroot if the hardware won't boot off of a USB HD. By running the separate OS, I don't have to worry about a rootkit hiding itself from the Windows OS. I know several people who also have XP running from flash drives & run MBAM and other software from them.

Vipre Rescue Scanner (1)

TehZzYzX (1803444) | more than 2 years ago | (#32684122)

http://live.sunbeltsoftware.com/ [sunbeltsoftware.com] Extract it to the USB drive then run it on the offending PC. The only issue that might arise, is that two files are coped to the C: drive before the scan starts. One to C:\Windows\ the other to C:\windows\system32\ Both are necessary for the scanner to work properly.

Just a few notes (1)

meerling (1487879) | more than 2 years ago | (#32684286)

When dealing with malware, viruses, worms, backdoors, etc., there are many things they can do if they are live.

The way to shut them down for the moment is a clean boot of a clean verified uninfected source, something like a cd or usb if the hardware/bios permits, also, pull out the network plug, some malware will propagate to other machines over the network, even if you don't think you're accessing it.
Two things to look out for, some computers may seem to let you boot from those sources, but still load something off the hard drive, which can result in the malware being loaded. You have what looks like a clean boot, but isn't.
Another thing, always do that clean boot from a completely powered off state. Not sleep mode, not hibernate, and absolutely not a reboot. Some laptops do not make that an easy thing. There is a simple reason for this. The memory wipe that supposedly happens when you reboot not only isn't complete, but can be changed to do even less. In other words, there are numerous malware out there that laugh at reboots. Some of them even survive simple resets. A trick I used to do in high school, play a game, turn computer off, turn it back on in 10 seconds, put in a particular memory execution command, and resume the game exactly where it was when I shut off the computer. There aren't many malware that can duplicate that, but there are some. Rule of thumb, leave the computer unpowered for at least 30 seconds.

Does this stuff sound kind of apocalyptic? Maybe, but it's all true. Are you likely to encounter those types? If you aren't doing anti-virus (or other anti-malware) stuff a lot, it's unlikely. But yes, it does happen, and as a computer professional, you are supposed to take steps to avoid those possibilities. (Not to mention it might save you some hair.)

By the way, they really need a current and high quality antivirus with current definitions (KEEP THEM CURRENT) to reduce the re-occurrence of infections. It's kind of like doing an emergency tracheotomy on someone every couple weeks because he's allergic to flan, and yet there are reasonably effective anti-flan allergy pills out there. It's really bad karma to not insist the fool starts taking them on a regular basis. (Counseling them how to avoid it in the first place is also important, but we both know how well that works on some people.) At least if you strongly insist that they get proper protection (and keep it up to date), then you'll have done everything you reasonably can, and nobody can accuse you of unprofessionalism.

It wasn't clear from the blurb if you were doing a full clean boot, so this is just to make sure, and besides that, since you made mentions of it trying to writeback to your media, it's pretty obvious it wasn't a clean boot.

Bootable CD's FTW! (1)

newbie65536 (628512) | more than 2 years ago | (#32684324)

There are many anti-virus companies that offer versions of their anti-virus on bootable CD's that you can download and run for free (legally). It will take just a little bit of Google work but I know you can find ones for Avira, Bit Defender, and Kaspersky. There might be more out there but the one I use the most (I work as a PC tech cleaning out lots of viruses.) is the Avira CD. Happy virus killing!

These might work (0)

Anonymous Coward | more than 2 years ago | (#32684426)

http://www.pendriveapps.com/software/portable-antispyware-malware/

PCI/BIOS and other Rootkits - IGNORED by products (0)

Anonymous Coward | more than 2 years ago | (#32684640)

Anyone, please tell me one antivirus and/or antimalware product, free or not, which:

- Scans all PCI cards for viruses/trojans/rootkits (VTR)
- Scans BIOS for VTR
- Scans connected/networked printers for VTR
- scans any other connected device in whichever, whatever slots
    or connections with readable or writable media for VTR

The many rootkit scanners available do not, neither do any of the antivirus companies products unless I'm wrong.

The product doesn't exist! Google "PCI Rootkit" and start reading. Google "BIOS rootkit" and read further. The serious malware surviving formats and zeroing isn't on the hard drives themselves, it has formed an intimate relationship with what all scanners ignore: your other
hardware devices, internal or external. Google further into the real power/weaknessess of your network cards and learn just how exploitable they are, too.

Until we have a product with the ability to scan, disinfect, and show you exactly what is infecting your *other* hardware, the products on the market today are just virtual ticklers for the e-ballsack. It's 2010, one should not have to boot into a LiveCD and use an old text based GUI tool to dump their BIOS and do comparisons and checksum verification, when is the last time you did this for your graphics card?

Hard drives, USB drives, yes, yes, I know, but the real threats are being overlooked, your *other* hardware!

Re:PCI/BIOS and other Rootkits - IGNORED by produc (0)

Anonymous Coward | more than 2 years ago | (#32684842)

I would like to replace your BIOS with one that does nothing except display a picture of goatse. I don't really care if I have to replace the system BIOS or the video BIOS.

Unlikely... (1)

frank_adrian314159 (469671) | more than 2 years ago | (#32684646)

Not if you want the system to actually be secure. In order to effectively scan, you'll need up to date virus definitions. If you don't want to be on the network for an online scan, you probably won't want to be on the network to download definitions. If wouldn't matter anyhow, as you can't put them on the USB drive because you want to maintain write-protect. As such, even if you put the AV product on your system, you'd shortly be stuck with out-of-date definitions, unless you have some other writable media to put them on, which you didn't mention.

So, to summarize - you'll need to get updated definitions and put them somewhere. If you're system doesn't have (or you don't want) that, you don't have a viable solution.

Opiboble (0)

Anonymous Coward | more than 2 years ago | (#32684730)

AVG Rescue CD :D

You can put it on a flash drive and it will boot up a linux kernel and scan the system. Great tool!

http://www.avg.com/us-en/avg-rescue-cd

Use MS Security (0)

Anonymous Coward | more than 2 years ago | (#32684816)

"Microsoft Security" might sound like an oxymoron, but Microsoft Security Essentials is actually pretty good, and it's free. Just install it on every device.

And as an earlier poster said, it's ludicrous to let viruses in just to clean them up later, dude. Would you do that with your girlfriend? "Oh, it's okay if I get herpes, honey, they've got great antiretrovirals these days."

Re: Stand-alone software (1)

madmod (988136) | more than 2 years ago | (#32684878)

First, use a USB external CD-RW drive. Next locate a copy of "f-secure-rescue-cd-3.11-23804.iso" and burn it using another computer to a CD-R. Finally, boot the CD-R in the CD-RW drive on the Windows computer that's infected. The disk will use a simple Linux shell and start the AV tool from F-Secure. The software will visit the home site (use an Ethernet connection) and get the virus definitions that are current and will then do a full scan of the Windows hard disk.

Booting from infected drives? (1)

nurb432 (527695) | more than 2 years ago | (#32684930)

That is a problem right there if you are wanting to boot from the infected drive THEN test.. If you can boot off the USB too, why not just boot off USB, then connect/share via SMB to a machine in your shop that has all the scanning stuff and do it from there?

Then simply... (0)

Anonymous Coward | more than 2 years ago | (#32685018)

Then simply stop using that malware/virus infected, bug ridden pile of windows and go with an embedded *nix or similar- jeeze why do people use this crap, then complain when it doesn't work! time after time...
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...