Virus Detection with a Flash Drive
By Ira Wilsker

WEBSITES:
http://portableapps.com — includes ClamWin
http://www.emsisoft.com/en/software/stick — a-squared USB version
http://www.malwarebytes.org
http://www.gt500.org/malwarebytes/database.jsp - Malwarebytes update file
http://live.sunbeltsoftware.com — VIPRE PC Rescue

Since writing a column last month on what users can do with USB flash drives in addition to simply storing files, I have had several readers of that column ask me explicitly what I carry on my flash drives, and what I use them for.

Several times a week, either at work, by email, or by phone, I am asked by acquaintances about computer problems, many of which I diagnose as malware infections. If I have available time, I will often ask the user to bring his computer by (if it is a laptop or notebook), or maybe I will stop by his home or office. This is where my USB drive comes in handy. In reality, I am currently using four different USB drives, each for a different purpose. Three of them are used for the common use of storing and transporting programs and data files, a function that they well serve. I have one flash drive that is dedicated for my use in detecting and removing malware from possibly infected computers. In order to minimize the risk of cross infecting from a malware laden computer, I do not use this drive for storing and transporting files, except for those files necessary to detect and remove malware from the target computer, or to attempt to recover infected data files. As a matter of personal practice, I will only update these files on the USB drive on my main computer at home after a thorough scan of the flash drive by several detection utilities to be sure that I am not bringing an infection home. I have also disabled the "autorun.inf" feature on my home computer to make it more difficult for USB borne malware to infect my home computer, as much of the current crop of flash drive borne malware uses the autorun.inf file as the vector to attack a host computer.

clam

One utility I have on my USB flash drive is the suite of applications that can run directly from a USB drive without installing anything on the host computer, available for free download from portableapps.com. Included in this suite is the respected ClamWin Portable, a capable antivirus and anti-spyware scanning utility. As with many other scanning utilities that I use from the flash drive, I periodically load and update the ClamWin Portable on my home computer, and update it again if I know that I will be using it to clean a computer. This portable version is only intended as a malware scanner, and does not offer any resident or continuing protection.

No utility is capable of absolute 100% malware detection and removal, so I personally prefer some redundancy, and choose to scan potentially infected computers with multiple scanning utilities. Another utility that I carry on this flash drive for that purpose is the USB version of the excellent and comprehensive malware scanner and remover a-squared Emergency USB Stick, available for free download at www.emsisoft.com/en/software/stick. This uses the same scanning engine and signature database as the very capable a-squared Anti-Malware, and is explicitly intended to be installed and run from the USB flash drive. This software can be loaded and run from a window, or optionally as a command line scanner. The a-squared can be run either in "quick" mode which will reasonably detect and remove any malware that may be on the computer, or in "deep" mode for a more comprehensive detection. This is another product that I load and run on my home computer prior to using on a target computer, so that I can update the signature files, as well as routinely update as a contingency.

After running ClamWin and a-squared, and cleaning or neutralizing whatever malware they find, I choose to run a third redundant utility, Malwarebytes Anti-Malware (www.malwarebytes.org). Malwarebytes is not intended to be run directly from a flash drive, but I do carry the latest install version on the flash drive, as well as the free-standing update file, available as a separate download at www.gt500.org/malwarebytes/database.jsp. Since Malwarebytes is well known to many of the miscreants who create much of the contemporary crop of malware, these bad guys have devised ways to prevent its downloading and updating from an infected computer. This is precisely why I carry the installation and update files with me to install from the USB drive, rather than downloading a copy onto the potentially infected computer. I install the software on the compromised computer, and then run the update file on my USB drive. After installation and updating on the infected computer, I perform a quick scan, which is capable of detecting and removing almost all current malware threats. If it appears that there may still be malware on the computer, then I will perform a more detailed full scan.

I have used this triple-redundant detection and removal method with great success on computers infected with viruses, worms, Trojans, and other forms of malware. While each of the three free utilities is very good at what it does, it is not at all unusual for the second or third utility to detect something that the others missed. When I return the previously purloined computer to its owner, I want to be reasonably certain that it is clean of malware, and instruct the user in the proper installation and use of a comprehensive security suite to prevent such an infestation in the future.

vipre

Recently, I have started to experiment with a fourth free utility that holds great promise as a USB flash drive based detection and removal utility. This product is new on the market, having just been released. This new product is Sunbelt Software's VIPRE PC Rescue program, available online and for download at live.sunbeltsoftware.com. I have downloaded this program to my USB flash drive and tried it, and it is very impressive, and should rank as one of the best utilities for malware detection and removal. Sunbelt's comprehensive database of malware signatures is included in the file, and includes detection for almost all known malware including rootkits. VIPRE PC Rescue is not run from the USB drive, but must be installed on the host computer. VIPRE has proven itself in recent months as one of the top performing antivirus and anti-spyware utilities, and it is substantially the same detection engine and database in the PC Rescue utility. Once I have had the opportunity to try VIPRE PC Rescue on a few infected computers, I will write a more complete review of it, but in my initial testing, I am quite impressed with it. VIPRE PC Rescue has earned its space on my flash drive, and after more personal testing, I may realign my detection and removal protocol.

USB flash drives have plunged in price in recent years, and for under $10, a flash drive can be purchased and then loaded with all of the free software referenced above. Whether used to clean others' computers, or to have as a tool in case your own computer gets infected, it would be a good practice to have a USB flash drive with these utilities, which need to be updated frequently. To use an old military expression, "it is better to have it and not need it, then need it and not have it."

This article originally appeared in The Examiner, Beaumont, TX, http://www.theexaminer.com and is being reprinted, with permission, for the benefit of User Groups