Automatic Scan of removable media

Hi,

Is there a way of automatically scanning removable media when attached to a PC? We had an outbreak of conficker a few months back (don't want to go through that again!) and are still getting the odd memory stick attached by teachers that has conficker on. I'd be a lot happier if all memory sticks/USB hard drives were fully scanned each time they were attached!

I am also trying to educate staff to ensure their home PCs are fully protected!

edit - useful info.. We're running Enterprise console 4 and Endpoint security 9

Thanks,

Joe

:691

  • joe90bass wrote: I'd be a lot happier if all memory sticks/USB hard drives were fully scanned each time they were attached!

    Have a similar situation here - teachers and students as well plugging in contaminated sticks ... While I'm confident that on-access scanning blocks the malicious content it often fails to clean (all) the threats. Users seem to simply ignore the message and continue using the device (not only on the protected PC but later somewhere else). If access would be denied completely chances are that users ask for help. Of course a full scan could take some time and it might therefore not be feasible in all circumstances.

    Christian   

    :694
  • Hi,

    as far as i know there is no option to automatically scan removable devices when they are attached to the PC (else than the On-access scanner preventing access to already known threats and all the available device and application control settings).

    Threats found by the on-access will be blocked as soon as somthing is trying to access an infected file - making me believe that i am protected even if the device is not fully scanned :-) . This also happens for malicious looking autorun.inf files making it even harder for malware to be executed after removable media has been plugged in.

    What I intend to do is to "transform" this post to some kind of "pro and con" discussion of why such an option is usefull or not (sorry for that ;-) )

    Maybe some of the Sophos guys will think about such a feature if there are enough pro arguments for this ;-)

    So from the point of  someone who's responsible for IT security this kind of option would be really great (if you stop to think about it at this point). All devices which are attached to a PC will be scanned and there will be no chance for malware to install itself or to spread on your network.

    Ok so now let's dig a little bit deeper...removable storage nowerdays exceeds the TB size make them bigger than the disks which are built in to the PCs (OK the default USB stick has an avarage of 8 GB but this is still a remarkable size to scan).

    So let's think about the worst case - someone attaches a 1TB external hard disk to a PC with a "scan external drives" option.

    As long as the drive is scanned it cannot be accessed (would not make sense if you can access the drive while it is being scaned - cause you want the drive to be scanned before it can be used). There are  a lot of PDFs on this drive -  10k holiday  pictures of the last 5 years are also stored on this drive as well as a whole bunch of office documents (so let's say approximately 70% of the disk is in use). 

    Even if you got the latest hardware the time to scan the contend will consume far more time that a user is willing to wait. So what will happen?

    Users will start to complain...

    åUsers will try to disable the security software...

    Users will look for other ways to transfer the data they need (might end up even worse that just attaching a usb stick)...

    etc...

    So maybe i am wrong but if i would create a list with all pros and contras there are far more contra arguments.

    Pro:

    - Feels more secure

    Con:

    - slow (no matter of what hardware or scanner you're using)

    - does not offer a real security advantage (OK you will get a list of ALL infected files on this disk - but you can also run a full scan from time to time if you really want to know. On-access will  block access to a infected file even if you do not run a full scan)

    - users will start to complain (worst case try to disable the security software in order to perform their job)

    - regular usage of removable media wil become a real pain 

    So hopefully the community will finde more arguments fo or against this kind of option.

    Feel free to comment my post :-) maybe you will be able to change my point of view

    Cheers

    JoeDoe

    :695
  • Thanks for the replies, and JoeDoe no need to be sorry for the pros and cons debate, the great thing about these kind of boards is the opportunity to bounce ideas around and get another perspective on an idea/issue!

    Whilst most of our users only have a few documents on USB sticks, some do seem to carry their life history around on USB hard drives, so as you say lengthy scan times could be an issue, even more so as they devices continue to increase in size....

    I guess it's just down to educating users and ensuring the AV is installed. working properly, and up to date on all connected devices....

    Cheers!

    :709
  • Hi,

    We have talked about this request a fair bit within the product team - it comes up fairly regularly as a request. I think JoeDoe sums up the pros and cons really well. Utlimately there is little to no security benefit from doing a scan upon insertion but there is some end user impact for kicking off such a scan (especially if its crammed with GBs of music and other goodies). Medium term we're looking at adding some functionality within the device control policy to block any executable from running from removable storage which would prevent malware and unauthorised apps from running prior to the on access scan for malware or app control (at this stage I can't comment on when that feature would become available). Right now we make sure all our app control identities cover both standard and "pocket" versions of applications to prevent end users circumnavigating IT policy. Hope this helps.

    BTW it might be possible to write a script to execute sav cli to carry out an ondemand scan when a removable storage device is inserted into the machine.

    Best regards,

    John

    :710
  • Hi John,

    Thanks for your reply. It's very reassuring to hear you've listened to customer requests and are looking at solutions to this.

    Chris

    :717
  • How about this as a suggestion. an option to force a background scan (With all the usual exception rules provision) on a drive if an "on access" detection occurrs.

    This would cover the situation whereby someone has conficker or similar and Sophos only deletes the autorun.inf file without clearing the trojan files. Also it will not detain anyone who has not been proven to have an infection. and if they have an infection they can only expect us to insist the rest of the drive is scanned.

    At the moment as soon as I get notified I have to phone the relevant user and  get them before they wander off to grab any and or all their USB devices in order to manually scan them.

    Any good as an idea?

    :756
  • Yes, its a good idea. I'll raise a feature request to cover it. Couple of potential complications:

    * the end user may well pull out their USB key once they are alerted to the presence of malware

    * I wonder how many times the device will contain multiple pieces of malware - as opposed to one. A different approach would be to ensure that automated cleanup is more rigorous i.e. does more than just delete autorun.inf. I'll ask some in the lab for a comment on this.

    Best regards,

    John

    :763
  • agreed about the complications but I'l let you guys figure out the wrikles.

    Just so you know on the various infected USB sticks I am scanning  there are usually 2-3 active files containing the payload. At the moment they are all on the root of the drive but I am sure some bright virus writing spark would just shift the location of the files if the root were scanned by default.

    :812
  • In addition to my last post, most of my users do not even notice they are infected! even with the Sophos alarm, and carry on regardless. I am sure the background scan would at the very least clean up more of the files

    :813

  • KarimK wrote:

    How about this as a suggestion. an option to force a background scan (With all the usual exception rules provision) on a drive if an "on access" detection occurrs.


    Some pretty good points raised so far in this discussion, but the suggestion above seems pretty good to me.  Most of our virus alerts (almost all of them in fact!) come from flash drives that have been used during field trips in far off countries and the option to force a full scan after an on-access detection would be useful.  Maybe even integrate a desktop alert into it asking the user not to remove the device until scanning has completed?  If the device was removed before the automatic scan had completed, then perhaps this could trigger an alert in Enterprise Console?

    :849
  • Hi

    The big troubble in USB keys is the malware that Sophos can't detect becuase with the malware detected by Sophos the network can't is infected.

    The option to scan or clean the USB can managed by a "USB use policy", however I have some observations:

    1) Only the admin users can delete and clean malware from USB if this are blocked by Sophos and sent to Quarantine.

    To solve this issue we uses the "Right Click Scanning" with a option Clean and Delete malware automatically.

    2) In most cases to configure the "Right Click Scanning" need a help from IT staff. This can solve if this options could be configured from Enteprise Console as the "Antivirus and HIPs" policy.

    3) If Sophos can detect and block the USB devices, I think that Sophos can add a Window message to help the users to Scan the USB keys when this is connected to PC. With this manner if the user have selected the option once, for example, when connected the first time to the PC the second or next times he can cancel the process.

    The Sophos message is "Simplicity" and the idea is provide a "Simple" option to users to scan your USB's or other medias when it's are connected to the Pc's. 

    4) To combat the unknow malware (mainly don't detected by Sophos) a new Device Control option as "Block the Executable Files" can help to protect the network without lost the functionality to copy/read/delete other documents from this medias. In the business the users generally uses your USB's to transport documents (word, excel, ppt, txt, etc).

    5) Sophos need one option to sent automatically the suspect files to SophosLabs because most malwares are detected as Suspicious with HIPS activated. But, again the process to remove or send this samples to SophosLabs is a unusable for the users (no IT users - 99% de users in a business).

    Finally, I think that Sophos are searching the best option to manage this cases (No-Admin Quarantine Management, No-Admin Malware Magement, USB, etc.) :smileytongue:

    Regards,

    Linck Tello Flores

    :884
  • In the community's early days I posted . Never got a feedback - think it is time to exhume it :smileyhappy:.

    Christian

    :894
  • Hello Sandy

    Is a good news that some point was sent to Dev Team :)

    About your question;

    I say. Is unusable for common users (non-IT users = 99% users in a business). Because the steps, only can executed for IT users (with permissions, or medium technical know), maybe, for a small business don't is trouble but in mediums and big business this steps are complicated.

    In business with multiple locations (remote offices, faculties) is very, very complicated.

    Remember that the IT team can't visit all pc's to copy and send the samples to SophosLabs.

    Sophos Endpoint catch multiple new malware with HIPS technology and need one option to permit sent the suspicious files from the same PC (with a click) or for example from a Central Quarantine (managed by a IT Admin).

    If you see the suspicious files in the EC this can't deleted (the message is: Impossible clean this malware").

    The question is:

    How to manage this cases?

    - Visiting the PC.

    - Accessing remotely.

    - Clean manually.

    If you see all this options can executed only for IT staff and this is a trouble.

    The EC should be have most manage options to treat the malware (viruses, suspicious, behaviour,etc) detected by Sophos in endpoints.

    This is the idea!!  :mantongue:

    Regards,

    Linck Tello Flores

    :917
  • Hi,

    Automated sample collection is coming in ESC 9.5 as part of our "Live Protection" feature. When enabled this features does a look up to Sophos for files that show suspicious behavior. If the file is new to Sophos, and the customer has enabled the "provide a sample option" (its off by default for existing installations), a sample is automatically gathered and processed by the Labs. If the file isn't new then it will either be blocked as malware or ignored if it is a proven legitimate file. As you can imagine this feature will assist in both new malware detection and the reduction of false positives.

    BTW the BETA registration for ESC 9.5 is now live: http://www.sophos.com/products/beta/ 

    Regards,

    John

    :926
  • Great, John

    Which catgories does this apply to - HIPS/xxxx and Sus/xxxx or also Mal/xxxx. While it is not exactly what I and perhaps some others would wish it is a big improvement. First time I see some beta details before the download is available :smileywink:

    Christian

    :930