Jump to content
Valatar

So, what exactly prevents the USB stick from being infected?

Recommended Posts

I love you guys and all, but am somewhat leery of the wisdom of sticking the scanner on a write-enabled USB stick with the intention of plugging it into computers that you know are infected with bad things.  That seems like a recipe for winding up with an infected USB stick that then passes the malware onto every other computer you connect it to.  Is there any mechanism in place to prevent malware from writing to the stick?

Share this post


Link to post
Share on other sites

Hi Valatar,

 

One thing that you could do if you are worried about getting your USB stick infected is to use a utility on one of your tech machines to clean up USB stick if somehow it became infected, or if you fear it is infected.  I am told that such infections are very rare, and that Microsoft has disabled autoruns from USB sticks some time ago.

 

Also, the types of infections that ARE known to infect USB drives are generally well covered by anti virus programs, which should be running on these machines anyway.

 

I hope this helps.  Please let me know if there's anything else I can answer.

Share this post


Link to post
Share on other sites

Unacceptable. As a technician, I had the exact same concern, and for me it's a total deal-breaker for this product. This reply confirms that I made the right choice.

 

One thing that you could do if you are worried about getting your USB stick infected is to use a utility on one of your tech machines to clean up USB stick if somehow it became infected, or if you fear it is infected.

 

An ounce of prevention is worth a pound of cure. I work under the assumption that anything connected to a compromised OS becomes compromised, and it saves me a lot of trouble worrying about whether or not my tech PC, flash drives, or other clients' computers are compromised or not. When I scan and clean a compromised system, it's ALWAYS using a known-clean OS first, and then while running the (previously) compromised (currently questionable) OS. Even then, it's while the suspect OS is not connected to any network or form of external storage. I am NOT going to be constantly scanning the USB stick.

 

I am told that such infections are very rare, and that Microsoft has disabled autoruns from USB sticks some time ago.

 

 

This only addresses half of the problem. Yes, it's true that ACTION+OPEN functionality, which was what led to such exploits, was removed beginning with Windows 7. However, this does not mean that a compromised OS couldn't infect executable files that are already on the drive, particularly if the drive proves to be a lucrative target...one that contains a known set of executable files...one that is routinely plugged into multiple computers...you get the idea. Furthermore, there are still Windows Vista machines which clients occasionally bring in to me; these would be vulnerable.

 

Also, the types of infections that ARE known to infect USB drives are generally well covered by anti virus programs, which should be running on these machines anyway.

 

I'm pretty shocked at the ignorance of this comment, coming from a "professional". I'm not going to rely on the AV program that's already on an infected machine for anything...particularly as a single point of failure. Malware frequently disables existing AV, and the infection had to somehow get past this AV in the first place...even if it is usually through the user-keyboard interface.

 

As has been mentioned before, a write-protection hardware switch would make the issue moot; however, since plans are to make the device bootable (a vast improvement, in my opinion), this will mostly take care of this issue. Until then, however, this product is not for me.

Share this post


Link to post
Share on other sites

I can't justify the cost of a Techbench USB myself - but all my security scanners and utility software installers are now on write protected USB sticks.

I used to burn a new CDR each month to give me a write protected source disk - for use on potentially infected systems.

But that got rather tedious - so now I update the USB sticks and then set the switch to read only.

Not sure if MBAM will run from a read only drive?

 

The two commonly available brands (of USB flash-drives) that provide a physical write-protect switch:

 

 Kanguru USB3 Flashdrives - with physical write-protect switch 

 
Trekstor CS USB2 Flashdrives - with physical write-protect switch 

Share this post


Link to post
Share on other sites

Unacceptable. As a technician, I had the exact same concern, and for me it's a total deal-breaker for this product. This reply confirms that I made the right choice.

 

 

An ounce of prevention is worth a pound of cure. I work under the assumption that anything connected to a compromised OS becomes compromised, and it saves me a lot of trouble worrying about whether or not my tech PC, flash drives, or other clients' computers are compromised or not. When I scan and clean a compromised system, it's ALWAYS using a known-clean OS first, and then while running the (previously) compromised (currently questionable) OS. Even then, it's while the suspect OS is not connected to any network or form of external storage. I am NOT going to be constantly scanning the USB stick.

 

 

 

This only addresses half of the problem. Yes, it's true that ACTION+OPEN functionality, which was what led to such exploits, was removed beginning with Windows 7. However, this does not mean that a compromised OS couldn't infect executable files that are already on the drive, particularly if the drive proves to be a lucrative target...one that contains a known set of executable files...one that is routinely plugged into multiple computers...you get the idea. Furthermore, there are still Windows Vista machines which clients occasionally bring in to me; these would be vulnerable.

 

 

I'm pretty shocked at the ignorance of this comment, coming from a "professional". I'm not going to rely on the AV program that's already on an infected machine for anything...particularly as a single point of failure. Malware frequently disables existing AV, and the infection had to somehow get past this AV in the first place...even if it is usually through the user-keyboard interface.

 

As has been mentioned before, a write-protection hardware switch would make the issue moot; however, since plans are to make the device bootable (a vast improvement, in my opinion), this will mostly take care of this issue. Until then, however, this product is not for me.

 

One point of clarification, though - MBAM is not an AV, and as an addendum, it has a native procedure to bypass many of the disabling techniques used by malware to stop AV / AM software - one of those being Chameleon.

 

 

I can't justify the cost of a Techbench USB myself - but all my security scanners and utility software installers are now on write protected USB sticks.

I used to burn a new CDR each month to give me a write protected source disk - for use on potentially infected systems.

But that got rather tedious - so now I update the USB sticks and then set the switch to read only.

Not sure if MBAM will run from a read only drive?

 

The two commonly available brands (of USB flash-drives) that provide a physical write-protect switch:

 

 Kanguru USB3 Flashdrives - with physical write-protect switch 

 
Trekstor CS USB2 Flashdrives - with physical write-protect switch 

 

 

To the both of you - reading the actual TechBench page would have made it a lot easier to understand why a write-locked / non-writable UFD is being used in the first place.

 

From the TechBench page:

 

 

Saves everything on the stick

Malwarebytes Techbench stores the scan log for each scanned system in its own individual folder for easy reference. All quarantined items are stored on the USB stick, so there is no risk of infecting a cleaned system.

 

Thus, trying to make it unwritable would pretty much break the way it works in the first place.

 

As for infecting the MBAM executables, well, there is this:

 

 

Protects itself with Malwarebytes Chameleon

Malwarebytes Chameleon enables Malwarebytes Techbench to run even when malware tries to block its operation.

 

Yes, I realize that this is not the panacea that will change your mind about the product - but let's be fair, the concerns that were brought up by both of you (and others, both recently and in the past) are not new to the team.  They have been mentioned before, and they will be mentioned again, I'm sure.

 

Finally, here is the FAQ section for TechBench:  https://helpdesk.malwarebytes.org/forums/22990013-Product-Question

 

Of note are the following:

 

https://helpdesk.malwarebytes.org/entries/42639877-What-do-I-do-if-I-cannot-run-a-Techbench-scan-because-of-malware-

 

HTH

Share this post


Link to post
Share on other sites
Hi,

 

We have a Techbench license that arrived today.

 

Is the MBAM Techbench keyed to only run off the USB drive?

 

I can understand why it seems that way but we have a huge site and it would be very useful to be able to run it from a UNC path as we would have to drive to the computer  otherwise.

Share this post


Link to post
Share on other sites

The short answer to your question is yes.

 

If you can send me your name and email address in a PRIVATE MESSAGE, I'll get someone from Sales in contact with you and give you a more detailed answer.  Click on my picture/avatar to send me a PM.  Thanks, and sorry for the delay in responding.

Share this post


Link to post
Share on other sites

I would rather the log file be saved to the customers computer and have a locked usb drive over your assurances. Unlock -> update -> lock -> scan 

 

I can't risk using a usb drive without a write protect, hell with the USB hardware in question, I'm considering going back to DVD. We as technicians have to take every precaution available or risk infecting other customers. 

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.