locked
FCS NOT scan removable USB devices... RRS feed

  • Question

  • Friends,

    I have the following problem on my FCS work environment:
     
    Scenario: 
    Mobile users use laptops with Windows Vista and Windows XP SP3 with the FCS v1.5.1958.0.

    Problem:
    FCS not detect automatically viruses and malware that are in passive mode store in USB mass storage devices "PENDRIVE".

    Symptom:
    After inserting a "PENDRIVE" on a laptop computer, FCS remove the threat only if it is active virus, such as "auto executable virus type autorun.inf", this is normal... however, whether a passive virus type trojan contained in one folder in second or third level of the removable disk, this is not detected automatically by FCS. Is need perform manual scan to remove this contaminated files in subfolders.

    Requirements:
    We need the FCS perform automatic SCAN of all files and subfolders in the removable disk to be inserted in computer protected.
    We need the end user has the ability to perform a manual scan/quick on suspect "PENDRIVE" by right-clicking on it.

    Thanks for the help they can provide...
    Thursday, February 12, 2009 8:25 PM

Answers

  • The current FCS v1 product does not have the functionality to do an autoscan of all content of a removable drive.  If you think about this more as well this may not be an optimum solution either as the size of removable drives increase. Doing a full scan of a 32gb jump drive is not a quick/simple process and may irritate your user base if this scan must run every time they plugin/remove their drive...

    As you mentioned we do actively protect any IO to/from that removable drive so autoruns that execute are scanned and any files that autruns call would be scanned.. also any reads/writes to that remove drive file system are scanned so if a user did doubleclick a malware.exe on that filesystem we would detect that read and would not allow an infection of the system.


    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    • Proposed as answer by ismail yilmaz Friday, May 8, 2009 11:22 PM
    • Marked as answer by Nick Gu - MSFT Saturday, January 2, 2010 1:46 PM
    Thursday, February 19, 2009 7:30 PM

All replies

  • The current FCS v1 product does not have the functionality to do an autoscan of all content of a removable drive.  If you think about this more as well this may not be an optimum solution either as the size of removable drives increase. Doing a full scan of a 32gb jump drive is not a quick/simple process and may irritate your user base if this scan must run every time they plugin/remove their drive...

    As you mentioned we do actively protect any IO to/from that removable drive so autoruns that execute are scanned and any files that autruns call would be scanned.. also any reads/writes to that remove drive file system are scanned so if a user did doubleclick a malware.exe on that filesystem we would detect that read and would not allow an infection of the system.


    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    • Proposed as answer by ismail yilmaz Friday, May 8, 2009 11:22 PM
    • Marked as answer by Nick Gu - MSFT Saturday, January 2, 2010 1:46 PM
    Thursday, February 19, 2009 7:30 PM
  • Thanks for your reply.
    I think this is an option that should be left to election of the end user.

    And with this other question?

    We need the end user has the ability to perform a manual scan/quick on suspect "PENDRIVE" by right-clicking on it.

    Thanks
    Friday, February 20, 2009 7:53 PM
  • Shell integration does not exist in FCS v1 ie right click on something in explorer and scan.

    In FCSv1 you would need to go into the client gui and select custom scan and then the location you want to scan and scan it.
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Thursday, March 5, 2009 5:16 PM
  •  Kurt,

    Thanks for your reply.

    Shell integration is a basic function that any antivirus product. I hope Microsoft considers this option in future versions of FCS.

    Is unfortunate, FCS is not complying with my demands.

    Thanks,

    Carlos A Cambridge M

    Thursday, March 5, 2009 7:06 PM
  • From what I understand v2/Stirling will have this functionality.
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Thursday, March 5, 2009 7:17 PM
  •  
    Thanks for the information Kurt,

    Greetings,
    Thursday, March 5, 2009 8:29 PM
  • Any word as to when v2/Stirling will be out? We also need the shell integration and need to be able to select automatic scanning of removable media on certain systems.
    Rich Torpey
    Monday, December 21, 2009 7:22 PM
  • Hello,

    Any updates on this?

    Thanks,
    Dom


    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

    Thursday, February 6, 2014 7:57 PM