Saturday, November 08, 2008

Portable Anti-Virus/Malware Security Tools: A Primer

The Mounties are Here!

At least in the circles that I keep there are several common approaches to dealing with a possible virus/malware infection on a system

  1. Use a system-installable anti-virus/anti-malware scanner (hereto referred to as an AVAM).  Common programs such as Norton’s, McAfee, Panda, AVG, Avast, Trend, etc. Once installed, run and (hopefully) remove. However, sometimes they can have trouble removing malicious files from a “live” system.
  2. Manually remove the virus using a host of utilities such as ProcessExplorer, Autoruns, a registry editor, and probably a host of other tools.  Usually effective, but for advanced users only and often no guarantee that you got all the “bits” off your system.
  3. Use a specialized scanner or removal tool specifically crafted just for that particular infection.  This can be fast and flexible, but you have to be sure that the tool you are using specifically address the variant you are dealing with…and often pre-supposes you even know if and what you are infected with.
  4. Try Online Scan Tools and run the AVAM scanner from a web-based source. Or…
  5. Just recover your key data, wipe the system and start fresh and clean.

At least one more technique exists as well that may not be quite as popular; a USB-based AVAM scanning solution.

The benefit with this technique is that you can try to run the scan in Windows Safe Mode (see comment section for clarification) which might increase your effectiveness in removal. Also, if the infection has impacted your ability to access the network/Internet, you don’t have to worry about dealing with getting the needed files downloaded.  You can set many USB devices to “read-only” so you don’t need to worry about cross-contamination to your media.  Finally, you can quickly maintain and deploy multiple AVAM solutions at a problem PC and have a potentially larger success rate.

There are quite a few “portable” AVAM tools out there, and I am not attempting to list them all here.  These particular offerings are from large and well-trusted vendors and also are “free” (assuming you meet their particular licensing and use requirements).  If you know of any others feel free to leave a comment and why you think it is worthy to be considered as well.

If nothing else, I recommend familiarizing yourself with these and maybe keep them stowed away on a USB stick.  Some you will want to periodically update; either by downloading the primary file again or the DAT file signatures and processing them.

Release the hounds!

Trend Micro’s SysClean

Miles over at TinyApps frequently comes up with some great tools on his blog.  A recent offering was Trend Micro’s SysClean.

SysClean is a great and flexible stand-alone AVAM scanner which can be deployed directly to a suspect system off USB or direct-downloads.

The only real “gotcha” is that is isn’t at all intuitive on how to get all the files together to make the thing work.

So here you go.

  1. On your system or on a USB drive, make a folder and name it SysClean.
  2. Download the following Sysclean Package from Trend Micro and place it in there.
  3. Download the latest Virus DAT file named lptxxx.zip from this page.  Note the numbers in the name will change as new DAT files (or Official Pattern Release-OPR as Trend calls them) come out.
  4. Extract the contents of the ZIP file into your SysClean folder.
  5. Download the latest anti-spyware patterns from this page.  You are looking a bit mid-way on that page for the “Detection and Cleanup (Trend Micro Anti-Spyware) – Ssapiptn.Da5” section with the file named ssapiptnxxx.zip where xxx will change with the pattern file number version. 
  6. Extract the contents of the ZIP file into your SysClean folder.
  7. Open the SysClean folder and double-click the "Sysclean.com” file.  It will auto-extract itself and present you with the GUI interface.
  8. Select your options (click “advanced” button for some more) and click “Scan” to go!

It’s an elegant and easy to use solution.

Copy your SysClean folder onto your USB stick and you are good to go traveling!  Just don’t forget to keep those OPR and sig files updated frequently.

Downloads are fast and updated very frequently by Trend.

For more information check out these posts:

Panda Command-Line Scanner GUI

Panda is one of those security companies that is often liked but not well known outside of the geekier security types.  That’s too bad.

Their product line includes a command-line AVAM tool that is beyond the reach of mere-mortals.  However, Pedro Bustamante wrote and maintains a GUI interface for the CLI module that is pretty slick and useful.

Command line scanner GUI frontend - Panda Research Blog

Deployment walkthrough

  1. Download the PAVCL GUI installer from that page and run the executable.  To make things simple, tell it to make the folder on your desktop.
  2. It will unpack necessary files into it from the installer package.
  3. Download the signature file (pav.sig) from the GUI’s blog page and unzip the file into the Panda folder created in step one (pavclg). Rename the folder to something more meaningful if you want.
  4. Open the folder and find the “Pavcl Gui.exe” file and double-click.
  5. The GUI interface appears and away you go!
  6. Advanced options are available from the configuration window.

The only drawbacks I know of are that the signature file may not be updated quite as frequently by the developer as some of the other solutions and that the download speed of the signature file can take a while to bring down…even on a  speedy connection.

That said, if you do your work ahead of time and copy your Panda folder over to USB, you are good to go on demand.  Just check for signature updates periodically before you actually need them.

Like SysClean, it is a great tool who’s simple interface belies it hidden power.

Kaspersky Virus Removal Tool

This is a slightly odd-ducky in the pond.

Kaspersky frequents the top of the AVAM food-chain and is one of the most effective security products of its class.  This free stand-alone scanner isn’t well known, but with a little bit of familiarity, it will become a big-gun in your portable arsenal of weapons.

Deployment walkthrough

  1. Download the tool from Major Geeks or do a direct-download from Kaspersky Labs here.
  2. Save the file to USB.
  3. When needed copy the executable you downloaded to the target system’s desktop and run.
  4. It will auto-unpack using a simple wizard and execute.
  5. Hit the “Scan” button and away you go.
  6. For more options you can click the underlined “Settings” link that is under the location list.

Potential Gotcha’s

First, be aware that this method “installs” the program on your system and enables a real-time “Self-Defense” process to prevent malicious removal of the program.  That’s fine but makes simply closing out of the application and “uninstalling” it difficult and unintuitive.

Luckily Miles has figured it out for us already. To uninstall first go back to “settings” link mentioned and click it.  Uncheck the “self-defense” box. Select OK and close the program window.  Then you can confirm the uninstallation of the program prompt you will see or…

Now copy this folder to your USB stick and use without having to go through all that stuff again.  Especially if you want to use it in Safe Mode on a system…as Windows Safe Mode does not always play nice with installation and removal of programs due to the Windows Installer service not running. (Link for Taking Command of Safe Mode via registry hack or with SafeMSI.exe tool.)

Secondly, Kaspersky aggressively updates this program/file/signature package.  That’s not a problem, but you won’t have the latest signatures unless you download the file again just before you need to deploy it…so keep that in mind as well.

Other than that it is a great tool from an awesome AVAM vendor.

McAfee command-line virus scanner with GUI wrapper

I really like this BartPE tool, but it can be a real pain to get set up if you don’t use or build BartPE disks.

Like Panda, McAfee also offers a command-line AVAM scanner. But it is very powerful and most users will not like using the CLI arguments.  Bart does have a great GUI wrapper for it, similar to the Panda GUI wrapper that really eases things up.

Deployment walkthrough

  1. Hop over to Bart’s PE and download his PE builder package.
  2. Unpack it.
  3. Browse into the unpacked folder to find the \plugin\mcafee folder. Copy this folder and its contents to your USB stick or other handy location.
  4. Now go to Index of ftp://ftp.nai.com/pub/antivirus/superdat/intel/ page and download the SDATxxxx.exe file. Note; the xxxx number will change.
  5. Copy that SDAT file into your mcafee folder.
  6. Now you must unpack it using the "/e" parameter. Open a command-line window session and browse over and into the mcafee folder.
  7. Run the command sdatxxxx.exe /e (where xxxx is the version number, for example sdat4290.exe). When unpacking you don't see anything happen for about 20-30 seconds, just wait for it to be all done.
  8. Delete the sdatxxxx.exe file to save space.
  9. Copy and paste this whole directory to your USB drive.
  10. When needed run the scangui.exe file in the mcafee folder to begin.

The GUI has a ton of configuration options and is a breeze to use.

Headaches

The biggest complaints I have is that you must have a valid McAfee license to use this software. It isn’t “free” even though it is freely available.  Also, the download of the SDAT file can take a long time to complete, even with awesome bandwidth.  Finally you need to be very patient when allowing the command-line unpacking to run.  It isn’t always fast.

You need to specify a valid location to write the log file before starting.  The default location often gives errors when generating.

Sometimes I’ve run into issues with executing it correctly from NTFS formatted drives.  It doesn’t seem to balk running from FAT32 formatted partitions so I think there might be a security permissions thing going on here.

All that said, this is a great tool from another trusted AV company.  Keep it handy and frequently updated on your USB drive if you qualify for usage.

a-squared Emergency USB Stick

I’ve come to figure out that there are two camps with EMSI; you either love ‘em or you don’t.  I personally like their AVAM products.

Recently (?) they expanded their product line to include a USB stick “bundle” that includes both a portable version of their freeware a-squared Free and a-squared Commandline Scanner. (Actually I suspect the first is the GUI that powers off the second. But you can run either one depending on your needs.)

Deployment walkthrough

  1. Download the a-squared Emergency USB Stick files from the link mid-way down the page.
  2. Unpack the files to a location on your USB stick or system.
  3. Open the folder and run the a2free.exe file and away you go!
  4. If you copy the unpacked folder to your USB stick it will be ready to go on-demand…just be sure to run an updated signature file check before using.

Pretty simple and not a lot to complain about.

Clam-Win Portable

Clam-Win is an open-source AVAM program that is growing daily.  While in many ways it is still a bit limited in functionality to full-bore AVAM scanning programs, it does provide some pretty good signature files in a fairly intuitive interface.  And it’s free.

This one’s simple.

Deployment walkthrough

  1. Download the ClamWin Portable package from PortableApps.com
  2. Run the installer and point it at the location you wish to save it at. Note that it doesn’t really Install the program but unpacks everything you need to the target location.
  3. Browse to that location and open the folder.
  4. Run the ClamWinPortable.exe file.
  5. You will be prompted to download the signature file database (or check for updates).
  6. Select your preferences and scan away!

No real issues with this one.  Pretty simple and lots of folks love and trust this little mollusk.

Keep it handy and updated on your USB drive and check for program updates often as it is frequently being fine-tuned overall.

Malwarebytes Rogue Remover Free

Malwarebytes Rogue Remover Free is free for personal use.  It is a particularly brutal tool to use against rogue AMAV products that trick the user into thinking they are getting a needed security product but actually contain adware, spyware, trojans and other icky things.

I highly recommend this program and keep it handy on a USB stick when visiting family and friend’s systems.

Deployment walkthrough

  1. Download the Malwarebytes Rogue Remover Free application to your local system.
  2. Run the installer.
  3. Browse into your system’s “Program Files” folder and look for the Rogue Remover Free folder itself.
  4. Copy this one to your system in another location, or even better, copy it to your USB stick.
  5. Go back and uninstall the program from your system (if desired).
  6. Go to your copied folder and drop into it.
  7. Find the RogueRemover.exe file and run to execute.
  8. It will make a request for an update-check (program and signatures) go ahead and let it do it’s thing.
  9. When done, scan-away!

It’s tough, it’s trusted, and it’s fast.

What more do you want?

IKARUS T3 CLI Scanner

T3 Command Line Scanner 1001026 - (freeware) -  Use this utility to perform a virus scan from command line – Softpedia.  Made by German IKARUS Security Software.  I haven’t spent much time with this particular Command-line scanner, but it could be good. Or not.  Just tossing it out there. 

I linked above to the Softpedia location as it has the command-line arguments in English.  If you want it directly from the source to ensure you get the most recent version, do this:

Deployment walkthrough

  1. Download the t3scan zip package from this IKARUS update location.
  2. Run the file and name a location and folder you want to unpack it in. I like using the folder-name “T3 CLI” myself.
  3. Download the t3sigs.vdb signature files from that same update location above in step 1.
  4. Copy the file into the folder from step 2 where you unpacked the CLI engine files.
  5. Now, open up that folder and rename the original file “t3scan.lng” to something like “t3scan.lng.old”
  6. Now find the file “t3sacn.en.lng” and rename it to “t3scan.lng” so that the help command will output in English and not in German (unless you happen to speak German, then skip steps 5 and 6!)

You are ready to go!

Open a command-line window and browse to the folder location.

To do a full scan of the primary drive use this command >t3scan.exe c:\*.*

If you want more finesse, then run the command >t3scan.exe –?

Copy your folder to your USB stick and check back for updates frequently. Download them (t3sigs.vdb) back into that folder.

Multi Virus Cleaner 2008

This is one of those free AVAM tools I keep around…just in case.

It hasn’t been updated since April 2008, but then again, you never know if it might be helpful.

Multi Virus Cleaner (MVC) : detects and removes major viruses

Deployment walkthrough

  1. Download the Multi Virus Cleaner (MVC) application to your local system.
  2. Run the installer.
  3. Browse into your system’s “Program Files” folder and look for the \AxBx\Multi Virus Cleaner 2008 folder itself.
  4. Copy this one to your system in another location, or even better, copy it to your USB stick.
  5. Go back and uninstall the program from your system (if desired).
  6. Go to your copied folder and drop into it.
  7. Find the MVC.exe file and run to execute.
  8. There isn’t really any point of checking for updates.
  9. Pick your scan type preference and scan away!

VIPRE PC Rescue - (freeware) - Sunbelt Software is now offering a “standalone” anti-malware scanning/removal tool.  The self-extracting executable is updated daily with the latest signatures. Scans include rootkit detection.  “Four command line options are available, enabling the program to perform a boot scan during the next start-up, perform a deep scan, log the events, and disabling the rootkit.”  I really like the fact that not only can you download and execute it from the net, but you can keep it packed/unpacked on a USB stick and run from there.  I’ve been using the full VIPRE product from Sunbelt Software for a while now and am very impressed with it.  A full GSD review on both should be coming soon.  Sunbelt reports that they will be providing a guide on how to use VIPRE PC Rescue with a bootCD for non-bootable system use. Sounds like a great add-on for VistaPE or other WinPE based boot disks. Spotted via the Sunbelt Blog. (update – this item added to post on 2/14/09.)

Micro-Scanners

These are specialty AVAM scanners that only target specific threats.  However they are single-file executables that are perfectly portable!

They aren’t as inclusive as some of the others, but they are tiny and fast and do the job.  Updated periodically (but not necessarily frequently) based on major threats as seen by their makers.

I always keep them handy.

Avira Antivirus Solution - Download AntiVir Removal Tool – Just download the removal tool and save to your USB stick.  Execute to run.  That’s it!

Stinger - McAfee Threat Center – Fantastic stand-alone portable AVAM tool.  Download the file and run.

avast! Virus Cleaner - free virus removal tool – Download  link is at the bottom of the page. Download it and run.

Microsoft Windows Malicious Software Removal Tool – Yes.  I’m listing the MSRT tool that is common on XP and Vista systems.  Often overlooked and discredited, it can do a job if needed against specific high-profile threats.  Find the MRT.exe file on your Windows system in the \Windows\System32 folder and copy it to your USB stick in case the local file isn’t up to date and a download isn’t possible from a compromised system. Just run the file to begin.

Whew!

Hope that’s enough to pad-out your USB stick and keep you busy scanning for a while!

For other related tools (portable and non-portable) look at these Grand Stream Dreams posts: Anti-Malware Tools, Anti-Virus Tools, Online Scan Tools, and Anti-Rootkit Tools.

Please let me know of any other similar AVAM programs that work well off USB that you trust and recommend.

Cheers!

--Claus V.

6 comments:

ffextensionguru said...

Odd, I was under the impression you couldn't use USB when in Windows safe mode.

Claus said...

@ ffextenstionguru - I think it depends on several factors, such as the motherboard and the BIOS. For example, my Shuttle SFF system does not support USB in Safe Mode, so I have to remember to swap out my USB keyboard with a PS2 one.

But on the Dell Optiplex systems we have at work, they only come with USB keyboards/mice and no PS2 connectors at all. Keyboard & mouse work just fine.

To be honest, what I really meant to say is that they work great off a USB drive when booting an infected system with a BartPE live Windows boot CD or a VistaPE live boot CD. Both of these which are based on WinPE 1.0 and WinPE 2.0 (respectively) support USB devices including USB storage devices.

These are what I often work from when booting a system "off-line" and if you boot with a USB stick or drive plugged in, they pick it up and you can then run your portable AVAM tools against the inactive primary hard disk drive(s).

Good catch!

--Claus

Claus said...

Or for a few other portable "transport" methods I didn't mention but have also used:

1) You can run them from a USB storage device without being in Safe Mode,

2) Burn the files to a CD-ROM disk and then copy them to the local drive either in Safe Mode or regular mode, or

3) Just keep them on your system and keep them for handy access if you ever need them locally in regular or Safe Mode.

Claus V.

Keydet89 said...

Claus,

Awesome post! IR folks need to see this...this brings several tools to their fingertips. Thanks!

Claus said...

USB Safe Mode Tip:

(for some reason Blogger was behaving badly so I'm reposting a summary from TinyApps Blog )

1. Many thanks for the awesome roundup of stand-alone AV tools
2. I had virtually never seen problems recognizing USB Mass Storage Devices in Safe Modem (under XP/Vista)
3. Intel has some potentially relevant info here: PC Accessories Issues when USB Legacy Support is Disabled

--all good info from Miles. Much appreciated...and might help me solve a tangentially related issue as well!

--Cheers!

Aa'ed Alqarta said...

Hi,

Nice way, I got my own recipe using Portable ClamAV + Windows batch + Autorun.inf. Check it out here:

http://extremesecurity.blogspot.com/2008/06/usb-dongle-auto-malwares-scanning-with.html

Cheers ;]