Video Screencast Help

Automatically on-demand AV/AS scan USB devices when plugged in

Created: 07 Jul 2009 • Updated: 12 Dec 2009 | 34 comments
GrahamA's picture
76 Agree
2 Disagree
+74 78 Votes
Login to vote
Status: Reviewed

(re-posted previously requested item)

It would good if you could configure SEP to automatically kick off an on-demand full scan of a USB device, once one was plugged in. It is true that SEP today will scan in real time as files are copied to/from the USB device using AutoProtect but being able to scan the complete device at connect time gives a higher level of confidence.

Comments 34 CommentsJump to latest comment

Jeremy Dundon's picture

Via Windows it is possible to configure to enumerate all the files on a USB device when inserted. The enumeration is enough to cause AutoProtect to scan those files.

+2
Login to vote
GDow's picture

Hi Jeremy;

Can you be more specific as to how to set the enumerating up?  We are looking for a solution to use SEP11 to scan USB drives when inserted.

Thanks.

Gregg

+2
Login to vote
Thomas Ballandras's picture

More options could be added to the feature suggested by Graham, such as:
- Force a full scan of the USB drive when it is connected
- Prompt the user if he wants to scan the drive
- Why not, after scanning the drive, creating a hidden / read-only folder called "autorun.inf" on the USB drive

All these options could be selected (or not) by the administrator.

0
Login to vote
AravindKM's picture

Good idea. In the present world use of USB storage devices are getting increased like anything and the same time these devices are increasing the risk of  virus spreading also. Real time protection can help a lot even then if such an option is available it will increase the security.

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

+1
Login to vote
JimW's picture

Would people really use this feature?  Wouldnt your users complain that they have to wait for the scan to complete before the drive can be accessed?  Imagine having to scan 1 gb or 2 of files or with larger volumes taking even longer. This is a good idea and something we plan on adding, but would welcome the feedback.

Jim Waggoner Director Product Management, Symantec Endpoint Protection, Enterprise Security Group, Symantec

0
Login to vote
Rod MacPherson's picture

I've had a request from a user. He'd rather wait a few minutes for a scan than be without a computer for a day.

0
Login to vote
Jedi_B's picture

Yeah, if my company finds out we paid this much money for a product that another product ( Microsoft SE) does for free... I'm in the deep stuff.

MCSA 2003. MCP.MCTS.MCITP. Symantec Certified Specialist.

0
Login to vote
Rod MacPherson's picture

Jedi_B, Microsoft Security Essentials is for personal use only.
Your company could not legally use it. They would have to buy Microsoft Forefront if they wanted an MS Anti-Virus solution.

0
Login to vote
Shaun Vermaak's picture

Scan only first 3 levels and flag binaries marked as RHSA, and shortcuts, autorun.inf etc. pointing to these binaries marked as RHSA, as suspicious and lock them.

0
Login to vote
K.K's picture

Hi

whether SEP 11.0 MR 6 can scan scanning of the USB devices like 3G usb dongle ?

0
Login to vote
K.K's picture

Hi

whether SEP 11.0 MR 6 can scan scanning of the USB devices like 3G usb dongle ?

0
Login to vote
Galaxy S's picture

Is this feature available yet with any of the Symantec's latest versions, as I see that this idea was posted more than two years ago...

+1
Login to vote
Jodyhow's picture

 I second Galaxy S comments.  When is this feature scheduled to be released?  Seems to be a small thing to ask.

 

Thanks

JLH

0
Login to vote
concrete_block's picture

I have had some of my clients requesting this feature, especially due to their diverse operating environment.  I think this should be included as an optional feature that can be enabled if needed.  Of course this would introduce delays in accessing the USB drive. However, users can determine if they want to keep this feature on or turn it off.

0
Login to vote
ajhay.siingh's picture

Hi

USB device automatically scanned while plugged in is not possible in SEP, unlenss the user access read,modify  or write to USB,  if any threat present on the device , it will act and prompt. For scan the device you can do mannually after plugging in, right click on it and selcet scan for viruses option. Symantec Antivirus does not currently run an automatic System Scan on the contents of flash drives when they are first plugged in

As I have reas post and documentation automatic scanning of USB device is not possible.

 

Pls go through folloiwng post

http://www.symantec.com/docs/TECH102573

 

Regards,

Ajay Kumar Singh (Consultant- Information Security)

 

 

0
Login to vote
InsentraCameronM's picture

Auto-scanning USB drives would be a good idea. I have a number of customers who would like this functionality.

Cameron Mottus

+1
Login to vote
ThaveshinP's picture

USB auto-scanning should be in the product by default. we have almost 43000 machines and 90% of all virusses that infect machines come from removable drives. Client has been complainin almost for 4 years that Symantec does not it and has to resort using other products. Why cant Symantec see the value in adding this feature. It will make the product better and give a good impression which is slowing sinking ......

0
Login to vote
cus000's picture

Hello,

+99 from me

Please add this new feature which has been pending since 2009?

+1
Login to vote
Olivier_C's picture

Hi,

I agree with the fact that this option must be embeded in SEPM.

So, ok, autoprotect inspect all files when they are acessed, but why Symantec do not use the same philosophy as local files ? I mean, if autoprotect alone can assume a good security, why are we using planified scan ? ==> Because plannified scan match about 20% - 30% of security risk. So as the same idea, scan USB mass storage when they are inserted is as important as run plannified scan.

This feature is absolutly necesary.

I know that workaround exists, but I don't understand why using workaround that is managed by other teams than security (windows adminitrators), instead of manage it directly in SEPM, in a way that we can give a proof to our Security managers, and be ISO compliant more simply.

 

 

~~~~~~~~~~~~

Olivier

+1
Login to vote
DGLMike's picture

I agree, the option to automatically run a full scan on USB disks as they get plugged in should definitely be in there.

This feature would obviously slow down access to files as the scan runs but if it could utilise Insight type technology (i.e. mark the files as clean) then this delay may only occur the first time the USB disk was plugged in and only new or modified files would be scanned on subsequent occasions.

+1
Login to vote
MaRRuT@CC's picture

Normally a must have....

Still most customers use ADC for get better control on removeable devices but it would be good to have such a feature. Also default scan templates for external devices would be good.

0
Login to vote
ThaveshinP's picture

Yes, ADC does work except for SEP 11.x on 64bit machines. We get hit more on 64bit workstations than anything else..

0
Login to vote
MaRRuT@CC's picture

Great opportunity to uprade :)

0
Login to vote
pete_4u2002's picture

SEP 12 ADC policy compatible with  64 bit OS>

0
Login to vote
ThaveshinP's picture

SEP 12 RU1 MP2 only to be done in October. Right now have to try to put out small fires with SEP 11.x

0
Login to vote
pete_4u2002's picture

agree :-), however the existing version of sep 12.1 will take care of ADC on 64 bit.

0
Login to vote
ThaveshinP's picture

Client wants a solution. WAiting too long to get SEP 12.1 will still have infected machines .

0
Login to vote
uspange's picture

 

Sounds good! For those who do not want to wait, here is a good solution in the meantime: http://blog.didierstevens.com/programs/usbvirusscan/
 
A description on how to "implement" can be found in our tips & tricks section (registrytion required, german): https://www.niwis.com/threads/8869-Scan-von-USB-Laufwerken-bei-Anschluss
0
Login to vote
John Santana's picture

yes please, may I know when is that going to be available ?

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

0
Login to vote
Chetan Savade's picture

Similar request: https://www-secure.symantec.com/connect/forums/comment-forcer-lanalyse-automatique-de-tous-le-contenu-dun-disque-amovible#comment-9463011

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
John Santana's picture

Yes please, the other brand can do it straight out of the box.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

0
Login to vote
Frank Quijano's picture

For me, this is useful if the total size of the USB drive would be 8GB or less (maybe 4GB) and it has about 30 to 50% space taken.

Imagine if you insert a USB flash drive with 32GB or greater (maybe a USB external hard drive), and you occupied almost the whole disk.

Varying greatly on how you configured your scanning, would you rather wait for SEP to finish the scanning before you can use it?

Just what I 've remembered from someone from a Symantec representative here in our place.

If you can't stand the heat, get out of the kitchen!

+1
Login to vote
John Santana's picture

Yes, you are somehow right, because during the scanning, the USB cannot be dismounted for safely removal.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

0
Login to vote