Automatic Scan of removable media

Hi,

Is there a way of automatically scanning removable media when attached to a PC? We had an outbreak of conficker a few months back (don't want to go through that again!) and are still getting the odd memory stick attached by teachers that has conficker on. I'd be a lot happier if all memory sticks/USB hard drives were fully scanned each time they were attached!

I am also trying to educate staff to ensure their home PCs are fully protected!

edit - useful info.. We're running Enterprise console 4 and Endpoint security 9

Thanks,

Joe

:691
  • I noticed it hasn't been mentioned here, so I wish to add to this (already closed) post - in relation to Conficker, to prevent autoloading of USB media - disable Autoplay on your network.

    This suggestion has been posted for most of the past year, in this article on removing Conficker:

    http://www.sophos.com/support/knowledgebase/article/51169.html

    Go to section 3, step 2, in the "What to do" part of the page:

    Disable USB Autoplay. This must be done correctly as described in the Microsoft knowledgebasehttp://support.microsoft.com/kb/953252. If this is not done correctly the worm may be able to execute if the USB drive is opened in Explorer or double-clicked from My Computer.

    Generally speaking, opening the drive in Explorer will cause Sophos' On-access scanner to kick in, and the infected file should be found. If policy for Conficker has been set as per above doc, this will alert admins to the infected machine via the Console, and they can kick off a remote scan of the system to confirm no other Conficker files are present.

    Rds,

    Stephen

    :965
  • Hi,

    I work with John Stringer in Sophos product management, first time poster here,

    Did some testing around this and noticed that the on-access scanner will pick up files in the removable drive root directory. This is triggered by the OS trying to identify the icons or other file properties as it opens the USB. It was able to catch a virus sample right away when I plugged the USB in without executing it. This was with the on-read setting enabled.

    Sill looking at initiating a full scan, but this does provide some benefits by covering the root directory, figure I'd let people know.

    Regards,

    Shai

    :1843
  • Re: Automatic Scan of removable media [ Edited ]

     12-01-2010 10:42 - last edited on 12-01-2010 10:43

    John,

    I've mentioned this to Ian Lakie by e-mail a week or so ago, but could something be introduced perhaps to stop autorun on removable devices? This could help, as I know I've found out in the last few weeks. However, in certain circumstances, we want the students to access the same computers that teachers use. We'd then be looking for something that would block by user, rather than end point.

    I know there must be hundreds of other ways to do this without involving Sophos, but offering what others don't is typically a good thing..?

    Regards,

    Dave

    :2582