Protection from Malware on USB Sticks

Discussion in 'other anti-malware software' started by Krusty, Feb 10, 2018.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    9,194
    Location:
    Slovenia
    Yes, that's true. I just wanted to point out that SBIE doesn't protect against Badusb since that attack was mentioned in previous posts.
     
  2. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    499
    Location:
    Member state of European Union
    I am not assuming. It is my experience.

    Maybe in US. You are assuming a law everywhere is the same. In some countries law permits sharing copyrighted material with friends you meet in person or at least relatives. You can't sold it. You can't share with people you don't know in person. There are some requirements, details in law about friends you can share copyrighted material, but I would like to not discuss that because this would be hard. This would require precise translation of some requirements and it would take me some time to do that as am not a lawyer not a native English speaker.
    Uploading movie to hosting websites could risk breaking the law by sharing with people you don't know in person. Copying via physically connecting to other people laptop don't involve that risk.
     
    Last edited: Feb 11, 2018
  3. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    4,958
    Location:
    Nicaragua
    You are probably right when you say that Sandboxie doesn't protect against BadUSB but I am not sure, I dont know. You said that nothing runs so there is nothing to sandbox but whenever you plug a flash drive in a computer that has never been attached to that computer, there is an installation. So, something is running. And if you run that USB with the BadUSB infection sandboxed, that installation is isolated by Sandboxie. But anyway, I sent Curt a PM asking him about BadUSB infections and Sandboxie with the link posted by Krusty. We ll see what he says. :)

    Bo
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    9,194
    Location:
    Slovenia
    OK, Waiting for his response. :)
    Just quick explanation on how BadUSB works. It's a case of USB drive with modified firmware. When attached to your computer it identifies it's self as let's say keyboard so OS thinks that new keyboard was attached and not usb drive. Modified firmware then sends commands to your system the same way as attacker would be doing it sitting behind your keyboard. So neither your OS nor SBIE knows that there is USB drive inserted. They both see only second keyboard attached giving commands the same way as regular keyboard. That's way SBIE wouldn't help here much.
     
  5. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,059
    Location:
    Nebraska, USA
    Come on. You are assuming these people are physically close enough that they can come over. That may be YOUR experience but this is not about you.
    You are right, I did assume. But the only thing I assumed is the country is a member of the United Nations. For it is a requirement for all member countries of the UN to comply with WIPO in Geneva. That includes, "Some country in the European Union".

    Just because some countries lack the resources or desire to stop music and movie piracy, that does not make filesharing of copyrighted intellectual property legal. So even in "Some country in the European Union" it is illegal to share such materials, even with friends and relatives, unless they live in the same house!
     
  6. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    4,958
    Location:
    Nicaragua
    When I first mentioned Sandboxie, I said, "Those of us using Sandboxie dont need to install anything to protect ourselves from infected flash drives", so I was not suggesting to install SBIE for the sole purpose of protecting ourselves against infections via USB drives but encouraging users who are already using SBIE to maximize what they do with it.

    Why?...Read below.
    If you read my posts, you know I dont plug other peoples flash drives in my computers, and consider doing it a bad idea, so we agree on that but the protection we get when we run files that run out of a USB drive under Sandboxies protection is many times better than expecting up to date antiviruses to be at 100%. They never are as they depends on signatures, they are always behind, Sandboie doesn't need updates to protect you.

    When we plug a flash drive, a sandboxes version of Windows explorer pops open running automatically. that is the safest way to run files under Sandboxie as there is nothing that will not run sandboxed or isolated from the system via a sandboxed Windows explorer-

    By the way, Sandboxie has a free version. The protection is identical to the one in the paid version. The real difference is usability, the paid version gets things done automatically, less thinking required to get files and programs running sandboxed.
    .

    Bo
     
    Last edited: Feb 11, 2018
  7. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    4,958
    Location:
    Nicaragua
    We ll see what he says but I reckon you are probably right.

    Bo
     
  8. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,059
    Location:
    Nebraska, USA
    Okay Bo, but your posts seem to be a clear campaign to promote SBIE. I am NOT suggesting you have a financial interest here. But if the OP and other readers don't already have it, not sure I see the point to keep promoting it. The question Krusty asked was if we really need a separate program? We don't.
     
  9. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    4,958
    Location:
    Nicaragua
    Exactly, his question was whether we should or not install something to protect against flash drives infections. My answer was to the point. Sorry you dont like it.
    There are many members here using Sandboxie, who mostly use Sandboxie to protect their browser and nothing else. Perhaps they dont know that Sandboxie can also be used to isolate USB drives. In fact, Sandboxies level of protection is greater when you sandbox files and programs that run out of a sandboxed USB drive than when they sandbox their browser. Thats how strong Sandboxie protects the system from flash drives. But I know, you dont care about that, all you care is promoting WD. So you know, I dont use AV but I like Windows defender and recommend it over all other antiviruses but the honest truth is that no AV can give solid protection against malware (out of flash drives or not).

    Bo
     
  10. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,059
    Location:
    Nebraska, USA
    It's not that I don't like it. I think SBIE is a great program and I never said it would not work. You made your claim for it back in post #18 and again in #23 and again in #31. Yet you are still pitching it in your last post, #34.

    But the facts remain: it is not free, it is not practical for most users, and to the point of this thread, it is not needed. Sorry if you don't like that.
     
  11. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,720
    Location:
    UK
    Ages ago I got interested in using Sandboxie after reading about it here on Wilders. At the time I was testing some PUAs via Sandboxie and reporting to a number of AV companies. I don't have the time to do that now and came to the conclusion I don't need Sandboxie. I examined what I do online and came to the conclusion I don't need it. No-one shares a USB drive with me anyway.

    I used to think after reading the advice on here it was the right thing to sandbox every browsing session but not so now. It comes down to what one does online and not being 'click-happy' as someone else put it. For example, I'm only on Wilders now in one tab. Do I need to sandbox it? No, I don't think so. When I'm done here, I may go to BBC News. Do I need to sandbox that? Again, I don't think I do.

    Sandboxing is a great technique but I think it depends on what you're doing.
     
  12. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    875
    Hey, let's not argue the relative virtues of Sandboxie. That's what you call a moot point. No reason we should allow ourselves to get dragged down that road. Especially since it is "off topic".
     
  13. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    499
    Location:
    Member state of European Union
    Specifics about how international treaty is implemented in country law can differ between countries. It must be prepared in a way that it fits inside legal system of country. Don't assume IP laws in US are in every detail completely the same as in every EU member state.
    This is the end of this off-topic for me.
     
  14. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,059
    Location:
    Nebraska, USA
    Sorry, but you don't seem to understand WIPO and how every UN member country has agreed to respect the IP rights of their fellow member countries. In no UN country are you allowed to give away, or facilitate the taking of copies of copyrighted materials - at least not outside the same home.

    Yes, how those laws and agreements are enforced is up the each country. But whether enforced or not is totally different from being legal, or not. And for the record, many of the EU's laws on the protection of IP rights are tougher than here in the US. So if your claim to be from "some country in the European Union" is true, don't assume your country's laws are more lax than here in the US. Software piracy is same the world round. It is illegal.

    Now I agree, this is OT so I too am done.
     
  15. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    5,834
    Location:
    Among the gum trees
    Thank you.
     
  16. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    4,958
    Location:
    Nicaragua
  17. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,059
    Location:
    Nebraska, USA
    :( He just won't let it go. Sorry Krusty.

    To reiterate the point in regards to the topic of this thread where Krusty asked (my "emphasis" added),
    The answer remains the same. No, we do NOT need a "separate" program to protect us from these threats.

    What we need is to,
    • Keep our operating system current,
    • Keep our normal anti-malware solution current,
    • Ensure autoplay is disabled (the default setting),
    • Don't be "click-happy" on unsolicited links, downloads, attachments, and popups, to include...,
    • Don't be "click-happy" on files stored on detachable storage devices (thumb drives, USB drives, etc.). Scan them first!
    Note these practices are part of the same user discipline we all must follow, regardless the anti-malware solution we use, or the threats we may encounter. So again, we do NOT need a "separate" program to thwart threats that may be lurking on USB devices.
     
  18. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,223
    Location:
    Mexico
    You won't either. Sorry @Krusty , @Bill_Bright is an authoritarian.

    @Bill_Bright
    For you and many others with similar thinking there's no need of a separate program to protect from malware hiding on USB devices. Fine, good for you.

    However, for @bo elam , me and many others there's need of a separate program to protect from malware hiding on USB devices, namely Sandboxie. Yes Sandboxie in bold letters, lol.

    Moreover, for many others there's still need of a separate program(s) to protect from malware hiding on USB devices. Which ones? There are several third-party solutions out there to satisfy the need.

    Moral: to each his own. Period.

    Now if @Krusty decides to make use of a third party program, then other members can contribute to that in this thread.
     
  19. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,059
    Location:
    Nebraska, USA
    Authoritarian? LOL. Not hardly. But I do believe in the rule of law, and that, unfortunately, "freedom is not free". And if I were an authoritarian, I would have said, "Do not use a separate program!". Did I? Nope.

    Okay then. Why?
    • Is your normal real-time anti-malware solution inadequate?
    • Do you run with auto-play enabled?
    • Do you allow strange devices to be connected to your computer?
    • Do you access strange devices connected to your computer without scanning first?
    • Do you run, open, or copy files from unscanned devices connected to your computer?
    • Do you allow untrusted users to use your computer?
    • Do you not keep your OS and security updated?
    • Are you "click-happy"?
    If you answered "yes" to any of those questions, then okay, you may need a separate program. But if you answered "no" to all of them, then running a separate program is not needed.

    FTR, we use Sandboxie on our test machine here - the computer we use in the shop to help troubleshoot sick client systems and to try out new software. But SB is not installed on this machine I am using now or any other of my "normal" systems in the house that are used for normal computing tasks (surfing the net, emails, paying bills, school and work projects, social media, streaming music and videos, gaming, etc.). It is not needed, or practical.
     
  20. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,223
    Location:
    Mexico
    I don't like them, I don't believe in them, ergo I don't have/use any.
    Nope.
    I have to. I am a PC technician and some times I have to plug in some USB devices, etc.
    I have to, but not open any of the files, there's no need for me to do that. Just recover data, e.g., to back up HDDs before nuke and pave.
    Answered in the previous question.
    Nope.
    Yes although I must say I don't trust Windows security at all.
    Yes, a bad habit I have when browsing the Internet only. I rely a lot on SBIE here.
    Funny thing here is most people would answer "No" to this questions yet they don't use use third party security programs, except for a crappy A/V and their machines comes already infected.
     
  21. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,059
    Location:
    Nebraska, USA
    Okay. This answers everything.

    I too am a technician. But as I noted, I have a different computer I use for such purposes. I would never use my personal, everyday use computer for such uses. And I know of no other technician who would either.

    That puts you and me in a different category than the "normal" user. Surely you don't consider yourself the typical example of the "normal" computer user? We are exceptions and exceptions don't make the rule. We intentionally expose our systems to potential or unknown threats. We, therefore, have to take extraordinary precautions.

    But that does not suggest those extraordinary precautions are right, or for everyone else. And IMO that means we, as technical advisers need to tailor our responses for that audience - the "normal user.

    "Most users"? And "already infected"? I don't even know what that means. The fact is, most A/V programs, including Windows Defender, are more than capable of keeping the average user secure AS LONG AS users keep their systems current and are not "click-happy". And the fact is, most users are NOT already infected. And they don't need 3rd party A/V programs to keep them clean.

    FTR, I use Windows Defender and Windows Firewall on all my personal systems and have never been infected since using that setup - going back to MSE on W7. BUT I do always recommend everyone have a secondary scanner for at least "on-demand" scanning just to verify their primary scanner (or the user) did not let something slip by. But that is regardless their primary scanner of choice. And just FTR, the secondary scanner I recommend is Malwarebytes.

    But now we are getting off on yet another OT tangent.

    (edit add: corrected a couple typos)
     
    Last edited: Feb 12, 2018
  22. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,500
    Location:
    Europe then Asia
    That is all that matters, and since most of Average Joe will do at least one of those points...
    Just put an usb on the floor in a place where people use their laptop with a "my porn collection" sticker on it ; then observe how many will plug it and run the files inside.
    I did the test once, 100% easy system penetration guaranteed.:D
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,904
    Heck I remember someone tested by placing a myporn.exe on 57 USB sticks and scattered them in their parking lot. All the program did was call home to him. 56 called home.
     
  24. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,790
    I think we should clarify, autoplay settings have no bearing on this type of threat.
    Autoplay options just tells Windows whether to open files on the USB device, or not.
    USB thumbdrives have their own onboard microprocessor and firmware that can be used to attack the host OS as soon as it is mounted regardless of the autoplay options.

    Usually when you plug in a USB thumbdrive, it tells the OS, Hi, I am a USB thumbdrive and a dialogue appears telling the user it is being mounted/installed so in theory the user should be able to see if their thumbdrive is claiming to be a keyboard or not, which makes me wonder if there is a switch to ask the OS for silent install or not.
    I also wonder if a USB device can tell the OS at some later time, I am no longer a mass storage device, I am now a keyboard.
     
    Last edited: Feb 13, 2018
  25. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    499
    Location:
    Member state of European Union
    USB, as name implies, is a serial bus. IIRC when usb keyboard sends a key it sends it to the all devices connected to the same bus. Thus you can create hardware keylogger. Let's say somebody loan you a USB device looking like pendrive. It can also be used as pendrive, but it has another hidden feature - keylogger. Anything you type while keylogger is connected to usb is going to be recorded. They you give it back and this person has at least some of your keystrokes.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.