Sunday, December 14, 2008

USB Security: AutoRunGuard, Encryption options, and Forensics

Deep into my earlier Security and Forensics Roundup: Heavy Version #2 post, I shared the renewed threat-vector of USB drives in general and the auto-run behavior in particular.

Then I immediately noted the need to get Alvis her own personal USB drive.

Great tips were offered by forensic gurus Hogfly and Harlan on dealing with USB security along with “Steve”.

That led to a minor post-post post NTFS Formatting an Imation USB Disk after which I received additional feedback from school IT administrator reminding me that Alvis would unlikely be able to use TrueCrypt at school due the fact the system-drivers would not load under the students’ restricted account policy settings.

So now I’ve had a bit more time to dwell (and research the subject) and am working on a few new angles worth sharing.

“Semi” Automatic USB device scanning – Foundation

From the first post comments, Steve suggested looking at Didier Stevens’ USBVirusScan which can be configured to launch an AV application when a USB stick gets inserted.

I did so and it looks like it could fit the bill. The way it works is (basically) you download the zip file and unpack.  Then you edit a .bat file to the specific drive letter and CLI path to executable you wish to run.  Set it all up and when the main-program detects a USB device loading, it triggers the pre-configured program to run.

See this Ditii blog post for some popular AV CLI commands to use: USBVirusScan: Automatic virus scanning, when plug in USB Flash Drive

As Steve (and Didier) suggest, this is great when tied to an AV/AM CLI supported software solution to scan the device in question immediately.

However, after reading Didier’s post, I (per usual practice) studied the post comments in depth looking for feedback and some additional practical applications.

Since some time has passed since Didier’s original post, the comments were filled with loads of comments.

And in them was an even better gem built on USBVirusScan.

And then there was AutoRunGuard

Dan McCloy took Didier’s work and expanded it in a pretty awesomely effective way.

But first, Dan shows his chops by breaking down the definitions and operations of Windows AutoRun, AutoPlay, and EDDC.  It really helps to clear up the finer points of what is going on.

Dan McCloy’s Autorun Reference Guide

Well worth reading the concise and organized page. Dan provides a number of strategies for reducing the effectiveness (for security gains) of AutoPlay and AutoRun

(Note: see also How to correct "disable Autorun registry key" enforcement in Windows – Microsoft KB953252)

Then Dan drops the bomb:

AutoRunGuard – freeware bat-file work combined with Didier’s USBVirusScan tool.

In its most basic default configuration, when a USB device is inserted, it opens a CLI window and asks you if you want to scan the drive, inoculate the device against future auto-run threats, or browse the device contents with Windows Explorer.


However what takes Dan’s program off the chart is that with some careful cmd-file editing, you can edit it to respond based on a particular device’s volume name, treat cd material differently, do MD5-based authentication of drive items to ensure they were not altered or compromised, and much more.

I have to confess, even for a bat-file builder like myself it was a bit intimidating at first with all the stuff Dan crammed in there. But once I quickly identified the particular drive-letter to be used on my system(s) and had carefully read the attached help-file (well done I might add) I had the program configured in no time.

The setting that you are most likely to need to customize is the command line for your particular anti-virus scanner.  Following are some samples that may match what you need. 

Test it first by running the command exactly as shown except that you should replace %d% with a drive letter and a colon for this test.  Then in the AutoRunGuard.cmd file, scroll down about 135 lines to where it says,

:: [[ Modify the following line to be whatever your system needs for performing a virus scan. ]]

Then replace the setting in the following (set MenuCmd=...) line with the one that worked for you.

Note that the path and parameters that a program uses may vary from one version and edition to another.  You might try browsing your Program Files folder to find the actual .exe files.  Note also that some programs offer both a command-line version (text will appear in the AutoRunGuard window) and a means to call the normal scanning window.

Worked like a charm.

For boot to shutdown protection, add a shortcut for USBVirusScan to the startup folder (or schedule the event to run at login in Vista). It will be ready and waiting for your USB disk to arrive for scanning!

Highly recommended.


As I am currently testing VIPRE Antivirus + Antispyware and wanted to set it up as the target AV scanner for AutoRunGuard’s cmd file.

Although VIPRE wasn’t included in the sample listings for CLI templates, I did find Sunbelt Software Support Answer ID 1759 to guide me in writing my own.

VIPRE offers you the ability to run a scan from the command line scanner.
Note: Using VIPRE's command line scanner is an advanced feature and should only be used by knowledgeable computer users.

The following parameters are available for the command line scanner with the syntax: SBAMCommandLineScanner.exe [parameter]:
Parameter Description

/displaylocaldefversion - gets current version number of risk definitions
/displayvipreversion - gets current VIPRE software version number
/displaysdkversion - gets current SDK version number
/scannowquick - starts a Quick scan
/scannowdeep - starts a Deep System scan
/updatedefs - starts update definition
/enableap - enables active protection

However it didn’t provide information on how to run a scan on a particular drive/volume target. The scannowquick seems to totally skip all additional drives (non-system partitions) and the scannowdeep will get the USB mounted drive, eventually, as it scans ALL mounted volumes/partitions in the process. 

Thus, my line 136 of the AutoRunGuard.cmd file looks like this:

set MenuCmd="%ProgramFiles%\Sunbelt Software\VIPRE\sbamcommandlinescanner.exe" /scannowdeep "f:"

I saved it, launched the main USBVIrusScan executable, inserted my USB stick and then picked the option to scan drive when offered by the CLI window that appeared.

VIPRE began its (full) scan and about an hour and 1/2 later, all the drives including the USB one were scanned.

That’s a long wait in many cases for it to arrive at the USB device with VIPRE’s CLI options.  I might be done using the USB stick and have ejected it by the time it finishes, despite VIPRE’s speed.

I fired off an email to the product support team, and even though it was the weekend, the TIER 1 support rep responded later in the day confirming what I suspected. It appears there are no command-line arguments (documented/undocumented) that will allow a CLI scan for just a particular drive-letter.  That can only be set and handled with a custom scan via the program GUI interface.

That doesn’t help me (and I hope it can be considered as a feature in a future version of VIPRE), but all is not lost.  I will just have to use an alternative Portable Anti-Virus/Malware Security Tool that supports CLI drive-targeted scanning parameters. I listed a number of free ones to pick from.  Just ends up being another AV/AM tool to manually update DAT files for, however.

Users of other popular AV/AM tools won’t have that problem at all as most all support scanning just a particular drive via the CLI arguments they offer.

USB File/Volume Encryption - Revisited

As has been noted, TrueCrypt does require Admin rights to run the drivers, even if they don’t have to be installed.

I did find one alternative to TrueCrypt that seem to get around that limitation and might be a better solution for Alvis and other users desiring USB volume encryptions but working under restricted Windows accounts.

Rohos Mini Drive – freeware – Creates a hidden and encrypted volume on USB devices and does not require admin rights to run on any system. Nice. The interface is much more user-friendly GUI than TrueCrypt. Encryption algorithm: AES 256 bit key length. NIST approved. Size of encrypted volume is 1 GB. While not humongous, this should be more than adequate for the average user’s needs.  It also packs a virtual keyboard to attempt circumvention of any keyloggers. Learn more about it’s features and see screenshots.  Spotted on Download Squad.

I also found the following application that looked promising:

Cypherix LE Free Encryption Software – freeware – Similar to Rohos, this product (formerly known as Cryptainer LE) uses a 128 bit implementation of the Blowfish algorithm in Cipher Block Chaining (CBC) mode with a block size of 64 bytes. And you can create multiple 25 MB sized containers on your USB device. The interface is a bit more advanced than Rohos, but not quite to the TrueCrypt level of complexity. The USB portable version seems to be referred to as Cypherix Mobile.

Now for the administrator rights requirement test:

Can Cryptainer be installed without administrator privileges?

Unfortunately this is not possible. Cryptainer runs as a process within the Windows framework. It needs be enabled as well be started up and shut down on request. It is necessarily constrained, by the overall Windows configuration, of the client machine.
This in turn is derived from the security, permissions, to illustrate just one instance of the client machine.

Please note that while Cypherix Mobile cannot be used without Administrative Privileges, The full version (Cryptainer) can be installed on any machine, with or without Admin privileges.

Thus it doesn’t appear to fully fit the bill for students. Too bad, but less competition for Rohos I guess.

USB Related Security Matters

Expanding the USB device theme a bit more:

Prevent Your PC From Booting If Your USB Drive Is Not Inserted -  Beware! Here be dragons!  Varun Kashyap provides a clear--if not dangerous--way to create a poor-man’s SmartCard boot dongle.  Basically you set your BIOS (if supported) to boot from USB devices first, and move some critical Windows system boot files to a USB device (boot.ini, NTLDR and  When the system boots it looks to the USB device and reads the files needed. No USB device with needed files? No boot. Written for XP but should work in principle with Vista as well.

As the article points out, it isn’t “secure” in the sense that a system would be with a whole-disk-encryption method using either freeware software CompuSec or TrueCrypt.  As long as any advanced IT user had a LiveCD to boot the system with (Win PE or Linux) the files on the otherwise non-bootable system would still be accessible, quite easily.

The NOISY U3 Thumb Drive File Access behavior in Windows - SANS Computer Forensics, Investigation, and Response. Great post by J. Michael Butler using the older Sysinternals FileMon (now replaced by the more advanced Process Monitor) tool to capture U3 USB drive application behavior. He even identified a U3 activity log created under the user’s application temp folder containing dates, times and serial numbers. Neat!

Forensic Incident Response: Tales from the field – Great analysis from Hogfly of a malware infection response that also involves a USB drive and autorun behavior execution.

Forensic Incident Response: Old is new - Tales from the field – Hogfly details how old attack methods against the MBR and autorun files on removable devices are being repurposed for renewed system attacks. Good stuff, especially as new discovery techniques are matched against them!

Forensic Incident Response: Beware the key – Last one.  Reminder of applying common sense and some protective measures already discussed in this post against USB device autorun features.

Motto for the night: Plug up your holes before plugging into your USB ports!

--Claus V.

1 comment:

Anonymous said...

Hey Claus,

great work on the AutoRunGuard write-up. I hadn't seen that yet so I'm looking forward to playing around with it. Thanks for the hard work!

Here's a quick thought regarding your "USB File/Volume Encryption - Revisited" section. Have you had a look at Ironkey drives yet?
The personal version would probably be the best fit for the situation, but I will make no assumptions about suiting a teenage girl's sense of style.