Is there a way of automatically scanning removable media when attached to a PC? We had an outbreak of conficker a few months back (don't want to go through that again!) and are still getting the odd memory stick attached by teachers that has conficker on. I'd be a lot happier if all memory sticks/USB hard drives were fully scanned each time they were attached!
I am also trying to educate staff to ensure their home PCs are fully protected!
edit - useful info.. We're running Enterprise console 4 and Endpoint security 9
joe90bass wrote: I'd be a lot happier if all memory sticks/USB hard drives were fully scanned each time they were attached!
Have a similar situation here - teachers and students as well plugging in contaminated sticks ... While I'm confident that on-access scanning blocks the malicious content it often fails to clean (all) the threats. Users seem to simply ignore the message and continue using the device (not only on the protected PC but later somewhere else). If access would be denied completely chances are that users ask for help. Of course a full scan could take some time and it might therefore not be feasible in all circumstances.
as far as i know there is no option to automatically scan removable devices when they are attached to the PC (else than the On-access scanner preventing access to already known threats and all the available device and application control settings).
Threats found by the on-access will be blocked as soon as somthing is trying to access an infected file - making me believe that i am protected even if the device is not fully scanned :-) . This also happens for malicious looking autorun.inf files making it even harder for malware to be executed after removable media has been plugged in.
What I intend to do is to "transform" this post to some kind of "pro and con" discussion of why such an option is usefull or not (sorry for that ;-) )
Maybe some of the Sophos guys will think about such a feature if there are enough pro arguments for this ;-)
So from the point of someone who's responsible for IT security this kind of option would be really great (if you stop to think about it at this point). All devices which are attached to a PC will be scanned and there will be no chance for malware to install itself or to spread on your network.
Ok so now let's dig a little bit deeper...removable storage nowerdays exceeds the TB size make them bigger than the disks which are built in to the PCs (OK the default USB stick has an avarage of 8 GB but this is still a remarkable size to scan).
So let's think about the worst case - someone attaches a 1TB external hard disk to a PC with a "scan external drives" option.
As long as the drive is scanned it cannot be accessed (would not make sense if you can access the drive while it is being scaned - cause you want the drive to be scanned before it can be used). There are a lot of PDFs on this drive - 10k holiday pictures of the last 5 years are also stored on this drive as well as a whole bunch of office documents (so let's say approximately 70% of the disk is in use).
Even if you got the latest hardware the time to scan the contend will consume far more time that a user is willing to wait. So what will happen?
Users will start to complain...
åUsers will try to disable the security software...
Users will look for other ways to transfer the data they need (might end up even worse that just attaching a usb stick)...
So maybe i am wrong but if i would create a list with all pros and contras there are far more contra arguments.
- Feels more secure
- slow (no matter of what hardware or scanner you're using)
- does not offer a real security advantage (OK you will get a list of ALL infected files on this disk - but you can also run a full scan from time to time if you really want to know. On-access will block access to a infected file even if you do not run a full scan)
- users will start to complain (worst case try to disable the security software in order to perform their job)
- regular usage of removable media wil become a real pain
So hopefully the community will finde more arguments fo or against this kind of option.
Feel free to comment my post :-) maybe you will be able to change my point of view
Thanks for the replies, and JoeDoe no need to be sorry for the pros and cons debate, the great thing about these kind of boards is the opportunity to bounce ideas around and get another perspective on an idea/issue!
Whilst most of our users only have a few documents on USB sticks, some do seem to carry their life history around on USB hard drives, so as you say lengthy scan times could be an issue, even more so as they devices continue to increase in size....
I guess it's just down to educating users and ensuring the AV is installed. working properly, and up to date on all connected devices....
We have talked about this request a fair bit within the product team - it comes up fairly regularly as a request. I think JoeDoe sums up the pros and cons really well. Utlimately there is little to no security benefit from doing a scan upon insertion but there is some end user impact for kicking off such a scan (especially if its crammed with GBs of music and other goodies). Medium term we're looking at adding some functionality within the device control policy to block any executable from running from removable storage which would prevent malware and unauthorised apps from running prior to the on access scan for malware or app control (at this stage I can't comment on when that feature would become available). Right now we make sure all our app control identities cover both standard and "pocket" versions of applications to prevent end users circumnavigating IT policy. Hope this helps.
BTW it might be possible to write a script to execute sav cli to carry out an ondemand scan when a removable storage device is inserted into the machine.
Thanks for your reply. It's very reassuring to hear you've listened to customer requests and are looking at solutions to this.
How about this as a suggestion. an option to force a background scan (With all the usual exception rules provision) on a drive if an "on access" detection occurrs.
This would cover the situation whereby someone has conficker or similar and Sophos only deletes the autorun.inf file without clearing the trojan files. Also it will not detain anyone who has not been proven to have an infection. and if they have an infection they can only expect us to insist the rest of the drive is scanned.
At the moment as soon as I get notified I have to phone the relevant user and get them before they wander off to grab any and or all their USB devices in order to manually scan them.
Any good as an idea?
Yes, its a good idea. I'll raise a feature request to cover it. Couple of potential complications:
* the end user may well pull out their USB key once they are alerted to the presence of malware
* I wonder how many times the device will contain multiple pieces of malware - as opposed to one. A different approach would be to ensure that automated cleanup is more rigorous i.e. does more than just delete autorun.inf. I'll ask some in the lab for a comment on this.
agreed about the complications but I'l let you guys figure out the wrikles.
Just so you know on the various infected USB sticks I am scanning there are usually 2-3 active files containing the payload. At the moment they are all on the root of the drive but I am sure some bright virus writing spark would just shift the location of the files if the root were scanned by default.
In addition to my last post, most of my users do not even notice they are infected! even with the Sophos alarm, and carry on regardless. I am sure the background scan would at the very least clean up more of the files
KarimK wrote:How about this as a suggestion. an option to force a background scan (With all the usual exception rules provision) on a drive if an "on access" detection occurrs.
Some pretty good points raised so far in this discussion, but the suggestion above seems pretty good to me. Most of our virus alerts (almost all of them in fact!) come from flash drives that have been used during field trips in far off countries and the option to force a full scan after an on-access detection would be useful. Maybe even integrate a desktop alert into it asking the user not to remove the device until scanning has completed? If the device was removed before the automatic scan had completed, then perhaps this could trigger an alert in Enterprise Console?