USB device scan on demand

I have the newest free version of CIS released 5/19/2009. My issue is simple:

I ahve a Seagate free agent drive, 2 regular flash drives and 1 Cruzer MIcro FD with a U3 operating system(?) or what ever it actually is - all are infected with a Trojan and maybe other variants.

I want to insert any of these USB plug and play devices and be assured that CIS will prevent any infection , block and remove the offending bug, cleaning the device and preserving my user data.

Can CIS accomplish this directly or do I have to decide which USB port I am going to plug the device into and then, beforehand, create a special scan profile? I am unclear how fast and protective CIS will be when I insert any of these USB devices without any preparation. I am also unclear if any preparation can prevent the infection from these devices.

The Residential scanner should catch it when it has a signature or may flag it as potentially dangerous by the Heuristics.

Make sure to set CIS to Proactive security (Miscellaneous → Manage my configuration) and make sure that Defense + settings to Safe Mode. Now Comodo is fully armed and will catch anything.

Thanks for your prompt review of my query.

I have changed the settings as you directed - the defense was already set to Safe Mode.

So to recap when I insert any of the listed devices, including the Seagate 500GB drive or the U3 Cruzer micro drive, what can I expect CSI to do - will it just immediately start a scan of the drive or will it wait until I open the device on my desktop??

I just want to make sure I understand this because 1) the trojan or whatever else is associated with it leaves a very clear mark on the system when it infects:

Namely the c drive becomes inaccessible and when the C drive icon is double clicked in the"my computer" window , an error appears in its own window and says “/resycled - yes reSycled - /boot.com is not a valid operation” or something like that.

I think this bug is a rootkit and I know it is capable of infecting the CMOS code And may even lodge itself in the Host Protected Area of the C drive.

Now how do I know all this - well it destroyed one system - the motherboard and disk drive that i know of .

The system I am on now is completely resurrected from other computers that were and are known clean.

SO, pardon this digression and the dive into so much detail, but I want to know will CSI spring into action the nanosecond that these USB devices are acknowledged by my OS, Shield my computer from the contagion - BEFORE i have even opened the device on the desktop much less looked at any of their content?

Thank you in advance!

I was not quite sure how Comodo would react. So I put an innocuous key generator that gets flagged as suspicious on an USB stick. When I access the folder with Explorer it is in CIS will notify. When it is in the root folder of the USB stick it will be noticed immediately when you access the USB stick with Explorer.

I asked the other mods to take a look at this topic as well to be on the safe side of things.

It should work, but there are no guarantees in life. :wink:

I recently had a USB stick infected with conficker.c which activated by means of an autorun.inf, which Windows, as it is supposed to do, promptly automatically ran when the stick was inserted. CIS real time scanning immediately produced a pop-up and, while it wasn’t (at the time) able to remove the infection from the USB stick, it was able to prevent it infecting the host system.

CIS, Avast, NOD32, Norton, Whatever - there are no guarantees, just degrees of comfort.

Cheers,
Ewen :slight_smile:

The most recent reply to my post is spot on to my underlying concern : rootkit infection via USB devices that are activated on insertion.

I should imagine there must have been extensive testing of CIS most recent 5/19 release given that its news release heralds a new level of host security from peripheral device infection, And given the ever increasing severity of these threats the cases must have included mine and more.

I thank all of you for your responses and i guess my next step is to isolate my current system,image its data to known clean devices and proceed with the actual tests.

The data on the infected devices were my backups from the former system and are too extensive and critical to be sacrificed 15 years of financial data alone.

Perhaps someday this general issue of viral transference will be put to rest.

Perhaps someday this general issue of viral transference will be put to rest.

This is, unfortunately, in both the medical and technological sense, the nature of viruses - rapid replication in order to ensure continuity and survival of the strain.

A word of advice - if you have 15 years worth of critical financial data, PLEASE do not rely on a single backup of this data on a single backup medium. Have multiple backups in multiple locations. Our critical data is kept on A) a remote FTP backup site, B) tape and C) DVD. The backups are simple file copies to ensure that the data files can be accessed by just an operating system.

Ewen :slight_smile: