On-access USB virus scanning?

Fysh · 09-05-2013 09:48AM #1

I'm stumped on this one so hoping one of the board regulars might be able to help me out.

I'm looking for either a way to force a full antivirus scan of any removable drive when it is mounted, or a way of whitelisting USB devices that can work with offline as well as online desktop clients. My employer has campus licences for Sophos AV and F-Secure Client Security, but I can't find any obvious way of doing this with either of them.

I don't want unrestricted USB access because some of the offline desktops are experimental control machines which can't be patched or have full AV-suites installed, and I can't trust my users to keep their pendrives clean because they've proven time and again to be useless in this regard.

My preferred plan would be to have all the lab machines on a private network which provides limited filestore access, but the lab manager in question (who is not particularly IT literate) is insisting that bringing files in on USB drives is the way to do this. I've explained that he's not getting unrestricted USB access enabled because I've wasted too much time in the past cleaning up his machines when he and his users ignore my instructions, so the compromise is that if I can find a suitable mechanism for whitelisting and on-access AV scanning his budget will fund any necessary licences and/or equipment purchases...

FSL · 09-05-2013 10:16AM

Could you not just set the on insertion action to be a full scan and auto disinfection of the media?

Fysh · 09-05-2013 11:20AM

FSL wrote: »

Could you not just set the on insertion action to be a full scan and auto disinfection of the media?

That would be a good start (at least on the networked machines, which will auto-update the virus definition databases), but I'm struggling to get it working in practice. There's no obvious mechanism in F-Secure Client Security to do this, and I'm struggling to find any way of doing it in Sophos.

Unless you mean something different, in which case please assume I'm being dense today and explain

Edited to add:

Are you thinking of something like this?

Antar Bolaeisk · 09-05-2013 11:41AM

Just looking through the options I have here for AVG Cloudcare and there's an entire section dedicated to removable devices.

I don't see any way to whitelist devices but it seems to be fairly in-depth regarding how intensive the scan is, what type of files are to be scanned or ignored, ability to scan within archives and reporting from PUPs to full on infections.

Don't know if that information is useful or not to you though, but it might be worth getting a trial to see if it's any use in your case.

Capt'n Midnight · 09-05-2013 12:56PM

Antar Bolaeisk wrote: »

Just looking through the options I have here for AVG Cloudcare and there's an entire section dedicated to removable devices.

I don't see any way to whitelist devices

Low tech (not recommended) give that particular USB key a different drive letter in disk manager ?

better way is to use the mountvol command to list the UUID's and somehow use them

Fysh · 09-05-2013 01:28PM

I've been pointed in the direction of Symantec Endpoint as a possible option for device whitelisting, but as far as I can tell it looks to be a bit too big for my requirements. I'm going to try out the USBVirusScan option I linked to upthread and see if that combined with Sophos will do the trick. Whitelisting is less of a priority if I can get on-access scanning working, though my preferred option would be a combination of the two.

Torqay · 09-05-2013 02:51PM

Entirely different approach, but it requires the registered version of Sandboxie. Just add the possible drive letters to the "Forced Folders" list. Any program executed from these locations (incl. sub directories) will be automatically sandboxed and can therefore do no harm the system.

Fysh · 09-05-2013 03:05PM

Torqay wrote: »

Entirely different approach, but it requires the registered version of Sandboxie. Just add the possible drive letters to the "Forced Folders" list. Any program executed from these locations (incl. sub directories) will be automatically sandboxed and can therefore do no harm the system.

Hadn't occurred to me at all, but it's certainly worth considering - thanks for the suggestion

Fysh · 14-05-2013 01:36PM

Just for the sake of closing off the thread:

I haven't found any feasible enterprise-grade solutions, because thus far network access is required for the ones I've looked at.

In the end, I've resorted to a variation on AutoRunGuard using a batch file on networked machines to detect USB devices being connected, run a scan on the drive and assign a 1-day token if the drive is clean. A second script runs on the offline machines which detects connected USB devices, checks for a valid token, and immediately unmounts the drive if no token is present. (Why a batch file instead of powershell? Because I need something that can reliably run on XP SP1 through 7 SP1 across x86 & 64 architectures with a minimum of additional work, and as far as I know that's easier with a batch file than with PoSH...)

It's short of what I'd actually like for a variety of reasons (USBVirusScan, which AutoRunGuard relies on, can't be installed as a service; the formula for generating tokens is necessarily simple though not immediately obvious; and worst of all I can't seem to reliably disable automatic volume mounting with either mountvol or diskpart, which means that this approach doesn't prevent the mounting of infected devices). However, it should at least help me to change user behaviour and reduce the number of infections until I've got time to deploy a longer-term network-based solution which does away with USB devices altogether.

On-access USB virus scanning?

Comments