Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Auto Scan USB Devices

Created: 04 Jun 2008 • Updated: 21 May 2010 | 31 comments
Can SEP (not SAV) auto scan a USB drive upon insertion?  This was a key feature that we were led to believe would be available, but we are getting mixed results.   Will it auto-scan the drive if we have certain features enabled in the App/Dev control?
 
Are there "Windows tricks" that we can use to make the drive window automatically open so that SEP is forced to scan it?
 
Thanks,
MK_SEP_Admin

Comments 31 CommentsJump to latest comment

Luciano's picture
Hi,

I think you can't do that.
But are you sure that's what you need ?
What will happen when you connect a 16 GB flash drive... SEP will start the scan and you will have your performance down for 5 to 10 minutes.
What SEP does is detect the threat when it's executed or copied...so, the final result will be the same.

Remember that SEP doesn't detect threats when the windows opens... you need to touch the file in some way.

The best way here is to disable auto play for this kind of devices to stop auto-execution of infected files.

Cheers,

Luciano Scalabrini
Luciano's picture

Hi !! :) I was looking forward your question.. and perhaps you could work with DoScan.exe and make something work when the user plugs the device...

DoScan.exe is a command line scan... check it out.


Cheers,

Luciano

mk_sep_admin's picture
We have some "high risk" locations where USB drives are routinely shared among home PC's, work PC's, visitor PC's etc.  In these locations we would force a scan of the drive.  We were told by our Symantec rep (and lightly tested with some success) that this was a feature with in SEP. Now that it is time to implement this setting, it does not seem to behave the way it did in our early tests.  I understand that SEP scans "on access" of the files, but for some of these locations, that just isn't good enough due to the nature of what some people do on their home PC's where these drives are shared.
 
Thanks.
SAM_SHAIKH's picture
HI Luciano,
 
Can you please provide us with the procedure on how to run the DoScan.exe fom command line..
 
Thank you
 
Rgrds,
SAM
Aaed Alqarta's picture

Hey there,

To solve the USB flash auto-scan problem temporary:

1) Disable Auto-play, see:

http://www.howtogeek.com/howto/windows/disable-autoplay-of-audio-cds-and-usb-drives/

2) Prevent Windows from executing any (autorun.inf) :

open notepad, copy-and-paste this code, then save it as (no-inf.reg), double click, confirm merging by clicking on yes

Code:
REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]@="@SYS:DoesNotExist"


 3) Teach your users, to insert their flash disk, then right click, scan for viruses.

4) Use flash-disks that supports encryption, malwares can't infect encrypted files. (e.g, SanDisk Cruzer)

5) Use "Application and Device Control" policy to block applications from running from removable drives

6) Disable removable drives at all, this what I've done, and malwares infections decreased dramtically . :smileyhappy:

for more about malwares, visit my blog:

http://extremesecurity.blogspot.com



Authorized Symantec Consultant - Symantec Certified Specialist - Experts-Exchange Certified Guru

Please don't forget to mark your thread solved

John_B's picture

We are looking for this functionality as well. We need to allow access to USB drives but also need them to be scanned once they are loaded. Is this functionality available? It seems like a key feature. Disabling auto-run is not the answer we are looking for.

TEvans's picture

I'm looking for an answer to this as well.  I need to be able to automatically scan with SAV any USB drive  (thumdrive, jumpdrive, pendrive, etc) that is inserted into the PC.

 

Does anyone know how to do this?   

Jose Luis N's picture

hi there i need to do the same, a scan when the usb has been plug-in but doing this from the SEP console, those any one know hoy to configure this??

thanks and regards

zer0's picture

The feature to scan the whole drive is not really required as the product scans any files that are accessed by default.

But it really does depend on how important you rate this level of scanning.

Some people want it desperately and others are not too worried.

 

Why do you want to scan the whole drive?

What is the implication of possibly leaving a dormant virus in a sub folder on the drive somewhere?

Isnt the system still protected and unharmed even if there is a dormant virus?

If a file isnt accessed and therefore cannot execute does it really need to be scanned?

 

You can set the feature "scan on" - create, move, copy, etc.

This will pick up the virus as the file is accessed, viewed or modified in any way.

 

Z

reza akhlaghy's picture

Hi

 

In my experience it is best to block "applications from running from removable drive" (which is one of default policies in application/device control section) and block autorun.inf (as described in previous replies). It will greatly reduce risk of infection from removable drives. Normal "scan on access" policy of SEP will take care of rest.

 

 

NickF's picture

Hi,

 

Whilst I accept the security of blocking applications for removable drives and scan on access for my own network, where I can insist on these measures, however often our customers are open enough to allow USB drives (varying restrictions), but diligent enough to have made us sign a contract saying we will virus scan everything before giving it to them (which is fair)....

 

I would love to have a feature of SEP, whereby I could guarantee that if a USB drive was plugged into any of our corporate machines it was definitely virus scanned - IE remove the 'I must remember to right click/scan for viruses' human element of the equation.

 

Can anyone let me know if a: this feature is already available, or b: if not, can it be in a future release?

 

ta

nick

ShadowsPapa's picture

>>

The feature to scan the whole drive is not really required as the product scans any files that are accessed by default.

But it really does depend on how important you rate this level of scanning.

Some people want it desperately and others are not too worried.

 

Why do you want to scan the whole drive?

What is the implication of possibly leaving a dormant virus in a sub folder on the drive somewhere?

Isnt the system still protected and unharmed even if there is a dormant virus?

If a file isnt accessed and therefore cannot execute does it really need to be scanned?

 

You can set the feature "scan on" - create, move, copy, etc.

This will pick up the virus as the file is accessed, viewed or modified in any way.

<<

 

That's a no-brainer to me......... ever had the Symantec app fail?? 

You want to scan to be sure it's clean, a base-point. That way, if they put it in a machine where the protection has failed (yes, it sure does now and then!) or an otherwise unprotected computer, or say in my case, I build images, so I don't always have protection on the computer as soon as I start using USB devices. There are a number of reasons I can think of an entity, esp a gov't entity, may want to be SURE for a fact there's nothing dormant. As far as I'm concerned, NO computer is truly clean until or unless ALL traces of the bug are gone, file and registry and otherwise.  I trust nothing........ I've seen things fail, I've seen antivirus products fail under certain conditions, and allow "infected" files to be used or moved. 

I also used to work in a company that was embarrassed beyond red by supplying Standard Oil with an infected DISK even though our computers were "clean". This involved software worth several hundred thousand dollars and hardware worth more than that.  There's a learning experience! Trust but verify.

I don't put out the guard dog withouth also locking the windows and doors and setting the alarm.  The bad guys have more time and money than I do.

NickF's picture

Hi Helen,

 

I'd love to request the feature via the route you mention, but SEP isn't in the list of products....

 

I completely agree with the lasp poster's comments - This 'should' be an option anyway...

 

 

Nick

shl7c's picture

Does anyone know of Anti virus software that supports this feature?? It is essential to my environment.

 

Thanks,

Sky

Helen_Gressman's picture

Hi Nick,

Select Symantec AntiVirus and for the product version select 11.0

NetUser's picture

shl7c wrote:

Does anyone know of Anti virus software that supports this feature?? It is essential to my environment.

 

Thanks,

Sky

Users will say "no" to this.  They will complain that it is annoying and will hurt their business productivity to have to wait for a scan of even a 1 or 2 gb flash drive every time they insert it.

shl7c's picture

NetUser wrote:

Users will say "no" to this.  They will complain that it is annoying and will hurt their business productivity to have to wait for a scan of even a 1 or 2 gb flash drive every time they insert it.

Well that's just not the case for *my* environment which mandates a scan each time the device is inserted... now of course I can do this manually, but gee, wouldn't a toggle-able option to do it for the user be nice?? I'm not trying to force it on those people who wouldn't want it... holy cow.

 

So I guess no one knows of antivirus software with such a feature?

 

I guess I'll request this addition through the appropriate channels.

 

Sky

Wayno's picture

I agree that this should at least be an option for users to select.

 

I do a lot with computers for conferences and you can see thousands of Portable USB devices and manually scanning each one before hand is a pain!!!!

 

I know there will be a lot of people that would say no to this as a default option, but why cant there at least be the option!

 

I notice the option to scann floppies is still there, and I haven't seen one of them in a few years!!!

Citlali's picture

I can understand the initial appeal of a feature like this, but actually using it in business environment would be a total nightmare.  Can you imagine the kind of performance hit you would take just to scan an 8GB drive with a bunch of install files on it? Extracting all those exe, zip, cab, etc...  If you were going to make a policy like this then it would only make sense if you could actually require the scan to complete before allowing access.  I don't see any way that would be possible and if it weren't required, then people could just connect the drive and copy files before the scan finished, thus defeating the purpose. 

NickF's picture

Which ever way you look at it, adding the feature will harm no-one - Those that don't want it or don't need it do not have to switch it on. The reasonable number of people who do see this as an important option will have it.

 

A win win situation - How can there be an argument against?

 

I agree the debate over using such a feature can and probably will go on forever... but that is a different argument.

 

There are aspects of asking for this 'feature' for me that are contractual, there are aspects that are additions to risk mitigation, there are even aspects that will use the inconvenience to my benefit - ie it will help discourage unnecessary use of USB memory sticks.

 

Nick 

 

ShadowsPapa's picture

I'm 150% with nickf

In some places, it's a REQUIREMENT that all drives - removable drives, be scanned prior to use.

So where does that leave us? With a competitor.........

And it's not that bad a hit with a USB drive - they are NOT mechanical like a hard drive! Scanning an 8gig USB stick takes less time than it does to scan 8 gig on a hard drive.

 

Please give us that option! For a state agency, I can give REAL LIFE stories on why we need this! Seriously.

We've seen the impact, and we've seen the mandates coming down to CONTROL such devices, and speed impact is not a consideration, period. The technology governance board doesn't care if it slows things down a bit compared to the state sytems getting infected due to NO protection on a memory stick or portable device - and remember, PDAs and IPODS can store files and have infected materials on them.

pbogu's picture

But all files are scanned by default on access and on modification which will work on USBs as well as other media. Why do you need to automatically run an On-Demand Scan when there is Access Scan in place? Btw flash to hdd speed scan doesn't depend that much on the media itself but also on used FS, CPU etc.

ShadowsPapa's picture

Yes, they are supposed to be scanned, but then there's a difference - the USB devices can be shared..... and you can't rely on each scan type always working. It's possible SEP may be down or behind in defs on one computer over another.

And when the state mandates, you can't argue - you comply or lose your position, period.

I've also seen the file "autoprotect" fail when a scheduled scan will pick up something, and I've seen scheduled scans miss and then a-p find something an hour later. They seem to work differently, at least they did in SAV. In my experience, based on working with NAV and SAV since about 1990, you never rely on just one detection type.

It does rely on media itself to an extent - GOOD electronic media, such as "memory sticks" are faster than the typical hard drive.

No need to explain how computers work - I built computers when IBM brought out the original PC series with the 8088, and the trash 80's from R-S. LOL. I also specced and built the computers used in turbo-compressor control systems.

On the same computer, a good, fast electronic drive is faster for a lot of processes than a "typical" hard drive, although the hard drives are getting much much better in the last iterations due to technology advances in the bus and internals. A friend of mine worked for Seagate and a few months ago said watch for an explosion in new hard drive technology - they have some great new stuff coming down the pipe that will make very fast, small, huge capacity drives available. (He worked in the white monkey suites in their labs........)

We're limited now by USB 2.xx speeds and abilities. That will change with the next USB spec, then watch out!  I can launch applications, even an OS very nicely from a USB stick. It's not slow at all. And scanning one isn't slow, either.

And especially when you HAVE TO.

Rules are rules, like them or not, and in some cases, there are reasons.

I don't see why folks are so upset about some of us NEEDING that option! If you don't like it, simply don't check it! End of story, right?

But give US the option, otherwise we move to a package that WILL do the scan that's required by our leaders.

shl7c's picture

Additionally, I don't want to have the AV check on file access because I often grep over a directory of thousands of files, and this relatively simple and quick operation slows to a crawl when each file is checked. ...so I turn that feature off.

 

ShadowsPapa's picture

Having thousands of files in a single folder/directory also slows Windows down a lot....... explorer chokes when you get over a few hundred..

We've found that out, SEP/SAV or no SEP/SAV, windows has limits. I also turn off any iconor tile showing, and minimize the details shown as Windows wants to touch each and every file in a folder it's in so that it can show us dumb users how cool it is and display pretty pictures and information we don't need all the time.

Since Windows touches each file to display this info, it would figure that any AV would also have an impact but here, we find the limitations are mostly from the OS...........

shl7c's picture

Yes, I learned that lesson the hard way and have since split the files into multiple levels of directories and grep recursively (and don't use windows explorer). Sadly, I'm constrained to a windows box... I try to make it as bareable as possible.

 

But hey, Symantec...  add the discussed feature please.

Citlali's picture

NickF wrote:

Which ever way you look at it, adding the feature will harm no-one - Those that don't want it or don't need it do not have to switch it on. The reasonable number of people who do see this as an important option will have it.

 

A win win situation - How can there be an argument against?

 

I agree the debate over using such a feature can and probably will go on forever... but that is a different argument.

 

There are aspects of asking for this 'feature' for me that are contractual, there are aspects that are additions to risk mitigation, there are even aspects that will use the inconvenience to my benefit - ie it will help discourage unnecessary use of USB memory sticks.

 

Nick 

 

I disagree with the notion that it wouldn't harm anyone.  Depending on how the feature were implemented, it would give a false sense of security that all usb drives are going to be clean.  As I said, I don't see how they would be able to require the usb scan to complete before allowing access to the drive's files.  This is the only way a requirement like this would improve security. 

 

Autoprotect already scans a file when it is accessed or modified.  The only exception to this is files inside of a compressed file or folder.  Compressed files are not scanned by autoprotect.  This can be a security threat if the autorun.inf on the usb drive executed and then copied a compressed threat to someone's open network shares.  Autoprotect would scan the zip file when it copies, but nothing inside.  A feature that requires a scan of usb drives would not protect against this kind of threat unless you forced the scan to complete before allowing the autorun to execute.  I don't think that would be possible with windows.  

 

In short, this feature would be useless with autorun still enabled on the system.  So a feature like this would actually just harm your performance and give a false sense of security.   I think if they were going to put in a feature like this, it should require that you run application and device control and have a policy disabling autorun. Once you disable autorun though, I don't see the need for this feature. 

NickF's picture

I'm sorry, but I think you are largely missing the point. What I and several others are saying is that regardless of the logic behind it (which is agruable both ways easily), we have a contractual obligation to do this.

Currently, with SEP, we have to instruct our staff to manually scan the devices, and hope that they follow the instruction.

What we would like is the option of doing it automatically.

 

Whether or not you think it is pointless is immaterial. Even if I thought it was pointless (and I do accept the benefits are slim), that is immaterial - I still have to do it - all I'm asking for is a 'tick box' that will make my life easier.

 

Nick

 

ShadowsPapa's picture

I'm with nick - you are missing the point.

What false sense of security? WE are the ones doing it, the people using the things don't know squat.

We are ordered to, so we must do it.

NickF and I understand the benefits, or lack thereof and fully realize all involved. That's not the issue - the issue is we need it - and if it does only prevent one incident, then it was worth it.

I've worked in this field in very large, world-wide organizations, on a financial company with billions invested and trust me, a single instance can cause millions in damage and losses, and even at this State level, is perceived as needed because we deal with confidential information, SSNs, medical info, etc.

I just don't understand why you are so against something we need, whether we personally like it or not is not the point, we are ordered to do so and the public demands it, we ARE public employees.

And at that financial company, this sort of protection was written in to the rules - we had to do it there, too - because people were trusing us with their 401Ks. If they would have demanded bars on the doors, we'd have had to do that too.

If you don't want it, then don't check it! It's really that simple. I've got 22 years in this so fully understand the good, bad, what works, what doesn't work, and why you need or don't need something.

If the governor says you will do something - you do it or look for other work. (and that's not easy right now)