Didier Stevens

USBVirusScan

USBVirusScan will launch any program you provide as a command line parameter each time a USB stick is inserted. I use it to start a full virus scan on the inserted USB drive, hence the name.

For example, to start a cmd.exe on each USB drive you insert, you start USBVirusScan like this:

USBVirusScan cmd /k %d:

%d (or %c for legacy reasons) is a placeholder for the drive-letter of the inserted USB drive.

USBVirusScan uses a system tray icon and balloons to announce the insertion of a USB drive. If you want to hide this system tray icon, start USBVirusScan with option -i, like this:
USBVirusScan -i cmd /k %d:

You can also hide the command line console with option -c. This only works with Console applications, not with Windows applications. Option -e will disable the Exit command in the pop-up menu.

The -q switch will stop a running instance of USBVirusScan.

A new flag, -d, adds debugging support to USBVirusScan. When this flag is present, USBVirusScan will write debug output when drives are inserted. This debug output can be viewed with DebugView.

I added 3 placeholders with new versions:

  • %v is the volume name of the inserted drive
  • %s is the volume serial number of the inserted drive
  • %f is the filesystem (NTFS, FAT, …) of the inserted drive

The volume serial number is assigned by the operating system when a hard disk is formatted. It is not the serial number assigned by the manufacturer. See function GetVolumeInformation for details.

The volume name and volume serial number allow me to script different actions for the different USB drives I plug into my system. For example, when I insert my USB drive with my TrueCrypt protected data on it, my script automatically launches the TrueCrypt program to mount the drive, I just have to type the pass-phrase. Or when I insert my MP3 player, the script opens the folder with queued-up podcasts.

And for all other drives, I start a virus scan.

Here’s a Windows Script example (log.vbs) that will create a log.txt file on the inserted USB drive with the current date & time:

Dim objFSODim objTextFile

Dim strFilename
strFilename = Wscript.Arguments.Item(0) & ":log.txt"
Set objFSO = CreateObject("Scripting.FileSystemObject")

If objFSO.FileExists(strFilename) Then

	Set objTextFile = objFSO.OpenTextFile(strFilename, 8 )

Else

	Set objTextFile = objFSO.CreateTextFile(strFilename)

End If

objTextFile.WriteLine Now()

objTextFile.Close

You start it with this command: USBVirusScan.exe wscript log.vbs %d

Example of the content of the log file after inserting the USB drive twice:

14/10/2006 17:05:00

14/10/2006 17:05:21

I used sample code for system tray programming from this Code Project article, and for the rest I generate a new GUID and did some cosmetic changes to the original USBDumper code.

Here is a YouTube movie showing you the program starting a virus scan. A hires (XviD) version can be found here.

Download:

USBVirusScan_V1_7_2.zip (https)

MD5: BDEF7BAE13C10B2B6CD650A89FD910ED

SHA256: 0090C73D6A3725E75C3388387A7A9E869C5D6BEA83E0D4D612E1CB25458163F3

This ZIP file contains both the executable and the source code. If you don’t plan to modify the source code of this program, you’ll only need to extract USBVirusScan.exe.

Compiled with Borland’s free C++ 5.5 compiler. Tested on Windows XP SP2 and Windows Vista.

169 Comments »

  1. Interesting tool. Saw it mentioned on the security monkey blog.

    I don’t see instructions for using/installing it. Looking at the start.bat, I’m guessing that the program has to be installed on each usb device. If it is installed on the PC I don’t see how it would work.

    Thanks

    Comment by Rohn — Wednesday 29 November 2006 @ 7:53

  2. The program doesn’t require installation, and you don’t have to install it on each USB device.
    You just run it on the computer where the USB devices will be inserted, it listen to the events and detects when a USB device is inserted. And it doesn’t require admin rights.
    Say you want to open the readme.txt file on each USB device you insert. Run this command: USBVirusScan notepad.exe %d:\readme.txt

    Comment by Didier Stevens — Wednesday 29 November 2006 @ 18:23

  3. Thanks Didier, but I must be especially dense, I still don’t get it.

    To make the tool work follow these steps:

    1. unzip the downloaded file in a folder on the PC, any specific folder:
    /Windows/
    /System/
    /System32/
    /USBVirusscan/
    ???

    2. Edit the start.bat file, customizing it to identify actions you want taken when devices are inserted (where is it put?)

    3. what has to be done to make the PC recognize the app when USB device is inserted?
    Run a service?
    Put USBVirusscan in the startup folder?
    Put start.bat in the startup folder?
    ???

    Thanks

    Comment by Rohn — Thursday 30 November 2006 @ 8:43

  4. Fine program
    Is there a way to remove the exit option , at startup or other,,,

    I wanted to deploy it to a few workers that use USB keys. I had it start a symantec scan on the key. But the user has the ability to stop it , so there a security risk …

    Thanks

    Comment by Earl Yeo — Wednesday 6 December 2006 @ 12:48

  5. [...] new version ignores mounting of network [...]

    Pingback by USBVirusScan v1.3.0 « Didier Stevens — Monday 8 January 2007 @ 15:34

  6. [...] USB Virus Scan is a nice little command line utility that performs predefined operations if a usb drive is connected to your computer. It is able to distinguish between various drives which means that you can add custom operations for the drives that you own and a general option for drives that are not recognized. The tool uses the volume serial number of the drives to identify them and perform the operation. [...]

    Pingback by Autostart programs when a usb drive is connected » gHacks tech news — Monday 22 January 2007 @ 19:33

  7. Yeahhhh!

    Thanks a lot for this nifty piece of software :) I’m going to use it on a laptop in my car so that I can just plug any USB device with music on it.

    I make this program run Winamp for every USB device connected so that it loads all the music files on that drive, I later control Winamp with mtvoid’s Control Freak (http://mtvoid.com/) on an old Nokia 6680 through a bluetooth serial port.

    Sorted!

    Comment by Robert — Tuesday 30 January 2007 @ 17:07

  8. Didier,

    Thank you very much for this great application!! I hope I can once contribute to the Open Source community with something this useful!!

    More power to you!

    Comment by Hans Hansen — Thursday 1 February 2007 @ 7:07

  9. Great utility!!!! I am using it to update Virus Definitions and scan USB drives.
    Thanks a bunch!!!

    Comment by J Royston — Saturday 17 February 2007 @ 5:37

  10. [...] USB Virus Scan is a nice little command line utility that performs predefined operations if a usb drive is connected to your computer. It is able to distinguish between various drives which means that you can add custom operations for the drives that you own and a general option for drives that are not recognized. The tool uses the volume serial number of the drives to identify them and perform the operation. [...]

    Pingback by Autostart programs when a usb drive is connected : Tech Tips — Sunday 25 February 2007 @ 7:08

  11. Hi!
    Nice Program!

    Is it possible to add a command line option to unload the program from memory?
    It would also be nice to have an option that would disable any output if the program is already running, so that
    users that accidently find the program don’t try to kill the task or delete the program
    Thanks

    Comment by Alfredo — Wednesday 28 February 2007 @ 1:05

  12. > It would also be nice to have an option that would disable any output if the program is already running, so that
    > users that accidently find the program don’t try to kill the task or delete the program

    Do you mean a “Hide” menu entry on the systray icon that would hide the program if it’s already running?

    Comment by Didier Stevens — Wednesday 28 February 2007 @ 11:51

  13. Well, I was talking about preventing multiple executions of the usbvirusscan program, that would generate multiple icons on the system tray.
    So if the program was already running it would not load itself again. (in this case it would not display any messagem saying “program already running”, it would just terminate, ofcourse there could be an option for the first time the program is executed to say if will give a message or not in already running).

    The other option I was asking for, would be related to the one I just mentioned, If there would be 1 copy of the program in memory and in the command line parameteres I said –quit or something like that, the resident copy of the program would be unloaded.

    Thanks

    Comment by Alfredo — Sunday 4 March 2007 @ 6:25

  14. I’ve released a new version (v1.4.0) that allows only 1 running instance. Unloading the program with a command-line switch requires Inter Process Communication between 2 instances of the program, I’ll program it when I find a reliable and simple way to do this IPC.

    Comment by Didier Stevens — Tuesday 6 March 2007 @ 9:28

  15. [...] Filed under: My Software, Update — Didier Stevens @ 9:35 USBVirusScan v1.4.0 has a new “feature”: from this version on, only one instance can be running. This was [...]

    Pingback by USBVirusScan v1.4.0 « Didier Stevens — Tuesday 6 March 2007 @ 9:35

  16. super handy little prog , used it for loading 300+ usb sticks with promo info
    thanks a bunch !

    Comment by randal — Thursday 10 May 2007 @ 7:30

  17. Is it possible to make a version that will sit on the USB drive instead of the PC? So that way Truecrypt would always open regardless of what computer I plugged it into?

    I suppose the problem is that people could use that maliciously as well…

    Comment by Neil — Tuesday 19 June 2007 @ 21:35

  18. Autorun is used for this purpose, but this doesn’t work for removable drives (this is by design). Search for autorun in the FAQ: http://www.microsoft.com/whdc/device/storage/usbfaq.mspx

    http://www.u3.com has a solution: their USB sticks also simulate a CD-ROM drive. autorun works with CD-ROMs.

    Comment by Didier Stevens — Tuesday 19 June 2007 @ 21:58

  19. 我佳木斯内外民间器小那些不能期望下去小饿乘法的才a采纳按年尽可能

    Comment by 李军 — Wednesday 1 August 2007 @ 7:47

  20. 3伟大年饿非常那边外出版才

    Comment by 李军 — Wednesday 1 August 2007 @ 7:47

  21. hi

    how can i make this program work with McAfee VirusScan Enterprise 8.5i.i want this program to silently clean every USB drive i incert in my PC…with no ICON in the system tray..

    thanks

    Comment by ajay — Sunday 12 August 2007 @ 7:28

  22. Take a look at the start.bat file in the archive.

    Comment by Didier Stevens — Monday 13 August 2007 @ 20:34

  23. there is no /target option for csscan.exe which is present in the C:\Program Files\McAfee\VirusScan Enterprise\ directory .i am using new McAfee VirusScan Enterprise 8.5i…

    thank you

    Comment by ajay — Wednesday 15 August 2007 @ 9:09

  24. Hi Didier,
    Great program indeed! Congratulations. I’m trying to edit the Start batch file to run with Symantec AntiVirus but it simply starts up the program without actually performing the scan on the USB. This is what I have

    USBVirusScan.exe “c:\Program Files\Symantec AntiVirus\VPC32.exe” /target %%c: /secure /quiet /log c:\log.txt

    What do I need to change to automate the scan?
    Thanks

    Comment by Frederick — Thursday 16 August 2007 @ 9:22

  25. Indeed, just discovered that csscan of version 8.5i doesn’t accept the /target option.
    Use this in stead:
    USBVirusScan.exe “c:\Program Files\Network Associates\VirusScan\csscan.exe” /secure /quiet /log c:\log.txt %%c:

    Comment by Didier Stevens — Thursday 16 August 2007 @ 11:36

  26. I searched for the Symantec AV command-line tool, here it is explained:
    http://entkb.symantec.com/security/output/n2002100907421648.html

    Assuming that vpscan.exe is also located in the Symantec AntiVirus directory, your command would look like this:
    USBVirusScan.exe “c:\Program Files\Symantec AntiVirus\vpscan.exe” %%c:\

    Comment by Didier Stevens — Thursday 16 August 2007 @ 11:43

  27. In case somebody searches on how to use your wonderful little utility with the avast 4.7 Quick Scanner, I record this for posterity:

    USBVirusScan “C:\Program Files\Alwil Software\Avast4\ashQuick.exe” %%c: /a /c /i /p=1 /s /t=a –report

    Thank you for your nifty utility. :)

    Comment by Jerry M. — Wednesday 22 August 2007 @ 3:13

  28. Thanks for your Avast tip!

    Comment by Didier Stevens — Wednesday 22 August 2007 @ 17:48

  29. Two questions:
    Is it possible to hide the start.bat window ?
    Imagine this scenario, loading two or more usb drives, the program can only virus check one of it ? ? ?

    -/-
    For Avira Antivir Classic users:
    USBVirusScan.exe “C:\Program Files\AntiVir PersonalEdition Classic\avscan.exe” /GUIMODE=1-4 /PATH= “usb drive letter”

    Example:
    USBVirusScan.exe “C:\Program Files\AntiVir PersonalEdition Classic\avscan.exe” /GUIMODE=2 /PATH= “F:\”

    Comment by V8 — Friday 24 August 2007 @ 23:24

  30. @V8:

    If so, the syntax methinks ought to be

    USBVirusScan.exe “C:\Program Files\AntiVir PersonalEdition Classic\avscan.exe” /GUIMODE=2 /PATH= %%c:

    or maybe

    USBVirusScan.exe “C:\Program Files\AntiVir PersonalEdition Classic\avscan.exe” /GUIMODE=2 /PATH= %d:

    @Didier:

    The avast line I gave in my previous comment should be changed to

    USBVirusScan “C:\Program Files\Alwil Software\Avast4\ashQuick.exe” %d: /a /c /i /p=1 /s /t=a –report

    if it is to be used in a shortcut. I have added USBVirusScan to my startup so that my computer is prepared for whatever storage media is plugged into it. :D

    I also wish to report that USBVirusScan functions very well even after being UPX‘d. :)

    Comment by Jerry M. — Monday 27 August 2007 @ 11:09

  31. >Is it possible to hide the start.bat window ?
    It is possible to hide console programs, use the -c option.

    >Imagine this scenario, loading two or more usb drives, the program can only virus check one of it ? ? ?
    Do you mean that the AV program can only scan one drive at a time?

    Comment by Didier Stevens — Wednesday 29 August 2007 @ 20:03

  32. >Is it possible to hide the start.bat window ?
    It is possible to hide console programs, use the -c option.

    I did that, but sometimes it fails, i dont know why.

    >Imagine this scenario, loading two or more usb drives, the program can only virus check one of it ? ? ?
    Do you mean that the AV program can only scan one drive at a time?

    Yes, its impossible to scan all usb drives at the same time, the problem is the paramater (/PATH= %d:), other usb have e:\ or f:\, so the AV,fails to scan the other usb drives.

    And by the way, i notice that, USbVirusScan, detect daemon tools virtual drive/ Alcohol 120% Virtual Drive as a USB drive.
    Can u explain, why ?

    Comment by MacasJr — Thursday 30 August 2007 @ 6:38

  33. >I did that, but sometimes it fails, i dont know why.
    Maybe you’re starting another CMD or BAT from that BAT file.

    > And by the way, i notice that, USbVirusScan, detect daemon tools virtual drive/ Alcohol 120% Virtual Drive as a USB drive.
    Are you sure you are using the latest version of USBVirusScan? I also use daemon tools and it doesn’t trigger USBVirusScan. USBVirusScan is based on USBDumper, and I discovered it also triggered on network drives. So I added code in a later version of USBVirusScan to ignore these drives.

    Comment by Didier Stevens — Thursday 30 August 2007 @ 11:15

  34. >I did that, but sometimes it fails, i dont know why.
    Maybe you’re starting another CMD or BAT from that BAT file.

    - Im using a simple Shortcut to the dir that haves the usbvirusscan, start.bat file. Sometimes the cmd windows does not appear.

    > And by the way, i notice that, USbVirusScan, detect daemon tools virtual drive/ Alcohol 120% Virtual Drive as a USB drive.
    Are you sure you are using the latest version of USBVirusScan? I also use daemon tools and it doesn’t trigger USBVirusScan. USBVirusScan is based on USBDumper, and I discovered it also triggered on network drives. So I added code in a later version of USBVirusScan to ignore these drives.

    - Im using 1.5.0, and it continues to trigger usbvirusscan, do u have all emulation options enabled ?

    Check out this video: http://www.mediafire.com/?4dhovnrxjvj

    Have a nice day.

    Comment by V8 — Friday 31 August 2007 @ 23:36

  35. I was not able to reproduce your Daemon tools issue after enabling all emulation options. Which version do you use? And where can I download a safe version, because sometime ago I decided to upgrade but got a version with adware?

    Comment by Didier Stevens — Saturday 1 September 2007 @ 12:48

  36. It seems that daemon tools oficial have adware (WhenU.DAEMONTools.SearchBar), but its an option, but u can uncheck the install Daemon Toolbar box.

    Im using 4.06HE, its old.

    Comment by V8 — Saturday 1 September 2007 @ 17:28

  37. It seems that daemon tools official release has adware (WhenU.DAEMONTools.SearchBar), but it’s an option, u can uncheck the install “Daemon Toolbar box”.

    I’m using 4.06HE, it’s old.

    Comment by V8 — Saturday 1 September 2007 @ 23:28

  38. And, Stevens, what about the “multiple usb drives scan” ?

    TEST 2:
    => Two usb drives infected with “eicar test”. Can USBVIRUSSCAN command A.V to scan both drives?

    Config: USBVirusScan.exe “C:\Program Files\AntiVir PersonalEdition Classic\avscan.exe” /GUIMODE=1 /PATH= “F:\”

    VIDEO: Check this out: http://www.mediafire.com/?a3yncih0ofj

    RESULT: FAILURE, SECOND USB DISK (G:\) STILL INFECTED.

    Have a nice day . . .

    Comment by V8 — Sunday 2 September 2007 @ 1:34

  39. Stevens talk to me . . .

    Comment by V8 — Monday 3 September 2007 @ 20:28

  40. Be patient, I’ll look into it.

    Comment by Didier Stevens — Tuesday 4 September 2007 @ 10:40

  41. Ok …

    Comment by V8 — Wednesday 5 September 2007 @ 20:31

  42. Hello, no more news ? ? ?

    Comment by V8 — Tuesday 18 September 2007 @ 12:53

  43. [...] Questo programma è un derivato di USB Virus Scan di Didier [...]

    Pingback by …system bug… » Blog Archive » PSP monitor v0.5beta — Sunday 21 October 2007 @ 16:18

  44. [...] USBVirusScan 1.6.1 Filed under: My Software, Update — Didier Stevens @ 7:44 This new version of USBVirusScan adds a new placeholder %f and provides debugging [...]

    Pingback by Update: USBVirusScan 1.6.1 « Didier Stevens — Tuesday 6 November 2007 @ 7:44

  45. [...] USBVirusScan Didier Stevens __________________ cause you can’t, you won’t, and you don’t stop………… cause you can’t, you won’t, and you don’t stop………… cause you can’t, you won’t, and you don’t stop………… [...]

    Pingback by Good USB key scanner? - mcarterbrown.com — Thursday 8 November 2007 @ 14:40

  46. Dear Mr Didier,
    I think your handy USB virus cleaner is very
    useful but my problem is due to lack of knowledge I dont know how to install it and
    if you can give me step by step instructions
    i will be very thankful to you.
    thanking you,
    yours trully,
    wimal

    Comment by wimal — Friday 30 November 2007 @ 7:30

  47. how to use this program? sorry for asking but i really don’t know about this…but i’m interested!

    Comment by Bolino — Monday 14 January 2008 @ 13:34

  48. Hi everyone,

    I am trying to execute the USBVirusScan.exe using the default start.bat… however, I want it to launch another BAT file called “lnch.bat” which is set to invisible mode (using .VBS file)… but when i use the “-c” flag after executing the USBVirusScan.exe file, the window console will still show up… what is the correct command line??

    Here is mine, to launch the “lnch.bat” file, and supposively not show anything that is going on

    USBVirusScan.exe -i -c /k lnch.bat

    Comment by Esteban — Wednesday 16 January 2008 @ 0:11

  49. @Bolino
    What do you want to do with the program? If you want to scan your USB sitcks, what is your anti-virus product?

    Comment by Didier Stevens — Wednesday 16 January 2008 @ 20:53

  50. @Esteban
    Maybe your lnch.bat files launches another program or .bat file. That other program will not be invisible. You can mail me your .bat file if you want me to have a look at it.

    Comment by Didier Stevens — Wednesday 16 January 2008 @ 20:56

  51. I use this for McAfee enterprise (for those who use it):

    usbvirusscan “c:\Program Files\McAfee\VirusScan Enterprise\scan32.exe” /target %d:

    and it works beautifully. Highly recommended.

    Comment by charlene — Tuesday 12 February 2008 @ 3:40

  52. Would this program work with grisoft’s avg if so what would the command line be?

    Comment by Julie — Tuesday 19 February 2008 @ 15:29

  53. This is a great program – so handy! Thanks!
    I’m trying to set this up on all our PCs (25 in all). I’m using the -ci options and putting the .bat in the startup. Unfortunately I can’t get it to work invisibly… the command line box stays up until it’s closed by the user. How can I get this to close automatically? Here is my .bat file…
    “c:\Program Files\USBVirusScan\USBVirusScan.exe” -ci “c:\Program Files\McAfee\VirusScan Enterprise\csscan.exe” /secure /quiet /log “c:\Program Files\USBVirusScan\USBvirusScanlog.txt” %%c:

    TIA!
    Kelly

    Comment by Kelly Whitaker — Tuesday 19 February 2008 @ 17:49

  54. Hi Didier,
    I am using version 1.5 of this great tool. My question is if it is possible to run it as a service (in Win 2k and above) because I do not want to have it in the startup folder or the in the run area of HKLM.

    Cheers from Mexico
    Jürgen

    Comment by Juergen — Wednesday 20 February 2008 @ 3:27

  55. It is not programmed as a service, so you cannot install it as a service.
    But it is on my todo list.

    Comment by Didier Stevens — Thursday 21 February 2008 @ 10:08

  56. Hi there Didier, great program, where / how do insert the lines for volume name of the inserted drive or the volume serial number of the inserted drive

    cheers
    Stu

    Comment by Stu — Monday 3 March 2008 @ 12:55

  57. On the command line when you start USBVirusScan, here is an example with notepad:

    USBVirusScan notepad %s

    After you’ve started USBVirusScan like this, insert a USB drive, and USBVirusScan will launch notepad to open a file with a name that is the serial number of the USB drive.

    Comment by Didier Stevens — Tuesday 18 March 2008 @ 15:30

  58. This is a fantastic contribution, Didier! Thank you!

    To enable the user to have fuller control of what happens upon insertion/connection, I’ve written a small program called AutoRunGuard, that picks up right where USBVirusScan left off.

    It’s easy to customize the AutoRunGuard rules for whatever kind of functionality you want. For example:
    -Make an ordinary USB stick with your portable apps work like a U3 drive (Verify integrity and auto-launch.)
    -Mount a TrueCrypt volume when a specific stick is inserted.
    -Check for infection by autorun worms (even those not recognized by your AV program), and inoculate the drive from being used that way.
    -Offer a menu with relevant options, such as “Scan for viruses”, “Open in Explorer”, or whatever.

    I hope it’s helpful! It’s free! Check it out at http://autorun.synthasite.com

    Dan

    Comment by Daniel McCloy — Saturday 5 April 2008 @ 5:37

  59. I notice from your source code (FirstDriveFromMask) that USBVirusScan only invokes the cmd on the first drive letter, and ignores other simultaneous drive letter insertions. Is there a good reason for that, or would it make more sense to invoke the cmd each of them?

    Comment by Bill Rubin — Monday 7 April 2008 @ 1:23

  60. Excellent observation, it’s also something I noticed when reviewing the code (remember, I forked this from USBDumper). It’s on my todo list, along with the Windows service version.

    Comment by Didier Stevens — Monday 7 April 2008 @ 19:12

  61. [...] Scaricare UsbVirusScan dal suo sito ufficiale [...]

    Pingback by Come avviare una scansione antivirus automatica all’inserimento delle penne USB nel PC - Geekissimo — Monday 14 April 2008 @ 8:00

  62. [...] Scaricare UsbVirusScan dal suo sito ufficiale [...]

    Pingback by Tips: Come avviare una scansione antivirus automatica all’inserimento delle penne USB nel PC | FDS — Monday 14 April 2008 @ 9:34

  64. [...] software di cui parlo si chiama, non a caso, UsbVirusScan, che tramite alcuni comandi riusciremo a rendere utilissimo per ciò che vogliamo, la sicurezza che [...]

    Pingback by Come controllare la presenza di virus in una pen drive, appena questa sia inserita nel pc on Sparkblog.org — Monday 16 June 2008 @ 8:56

  65. Hello Didier,

    Thanks for such a useful tool.

    My problem is that i would like to get scan results into a “log.txt” that has the same information and similiar format as McAfee VirusScan 8.0i or 8.5i scan logs. Is this or something similiar possible? I am interested in being able to identify any viruses that are found, cleaned, moved, or deleted.

    If yes, would you please provide the code.

    Thanks in advance.
    Sheldon

    For example (McAfee VirusScan Log):

    2/27/2008 2:10:52 AM Engine version = 5.2.00
    2/27/2008 2:10:52 AM DAT version = 5236
    2/27/2008 2:10:52 AM Number of virus signatures in EXTRA.DAT = None
    2/27/2008 2:10:52 AM Names of viruses that EXTRA.DAT can detect = None
    2/27/2008 2:14:46 AM Engine version = 5.2.00
    2/27/2008 2:14:46 AM DAT version = 5238
    2/27/2008 2:14:46 AM Number of virus signatures in EXTRA.DAT = None
    2/27/2008 2:14:46 AM Names of viruses that EXTRA.DAT can detect = None

    2/27/2008 4:06:00 AM Statistics:
    2/27/2008 4:06:00 AM Files scanned: 2437
    2/27/2008 4:06:00 AM Files detected: 0
    2/27/2008 4:06:00 AM Files cleaned: 0
    2/27/2008 4:06:00 AM Files deleted: 0
    2/27/2008 4:06:00 AM Files moved: 0
    2/27/2008 12:57:45 PM Engine version = 5.2.00
    2/27/2008 12:57:45 PM DAT version = 5238
    2/27/2008 12:57:45 PM Number of virus signatures in EXTRA.DAT = None
    2/27/2008 12:57:45 PM Names of viruses that EXTRA.DAT can detect = None
    2/27/2008 1:48:45 PM Deleted NT AUTHORITY\SYSTEM svchost.exe E:\autorun.inf W32/USBCasv!inf (Trojan)

    2/27/2008 10:46:31 PM Statistics:
    2/27/2008 10:46:31 PM Files scanned: 2376
    2/27/2008 10:46:31 PM Files detected: 1
    2/27/2008 10:46:31 PM Files cleaned: 0
    2/27/2008 10:46:31 PM Files deleted: 1
    2/27/2008 10:46:31 PM Files moved: 0

    Comment by Sheldon — Monday 23 June 2008 @ 21:10

  66. Add the /log option with a file name.

    Comment by Didier Stevens — Tuesday 24 June 2008 @ 8:31

  67. So, how would I get this to work with the Trend Micro command-line scanner?

    http://esupport.trendmicro.com/support/viewxml.do?ContentID=en-117058

    How can I point it at the new (USB Drive) drive letter?

    Comment by Brandon — Thursday 26 June 2008 @ 18:34

  68. How do you do it manually? What command do you have to type to start a command-line scan of drive E:?

    Comment by Didier Stevens — Thursday 26 June 2008 @ 19:44

  69. [...] AVGFREE 7.5 USBVirusScan.exe "C:Program FilesGrisoftAVG7avgscan.exe" /clean %%c: Kaspersky Anti-Virus USBVirusScan.exe "C:Program FilesKasperksy LabKaspersky Anti-Virus 7.0avp.com scan /i3 %%c Kaspersky Internet Security USBVirusScan.exe "C:Program FilesKasperksy LabKaspersky Internet Security 7.0avp.com scan /i3 %%c Norton AntiVirus 2008 USBVirusScan.exe "C:Program FilesNorton Antivirusnavw32.exe" %%c: ESET NOD32 Antivirus USBVirusScan.exe "C:Program FilesESETESET NOD32 Antivirusecls.exe" /action=clean %%c: ClamWin USBVirusScan.exe "C:Program Files ClamWinbinclamscan.exe" — database="C:ProgramData.clamwindb" %%c: Note: ClamWin is a bit tricky because you need to specify the virus definition database location. What I provided above is the default database location in Windows Vista. To check the location of the virus definition database, run ClamWin, go to Tools > Preferences > File Locations. avast! 4 Professional USBVirusScan.exe "C:Program FilesAlwil SoftwareAvast4ashCmd.exe %%c /P=[31] Note: avast! 4 Home Edition does not support command line scanning. There are other features such as hiding USBVirusScan from appearing and etc. Do check out the official website for more information. USBVirusScan Didier Stevens [...]

    Pingback by Autorun antivirus when USB drive is inserted — Sunday 29 June 2008 @ 7:31

  70. Thank you very much for this program, it is wonderfully useful!
    I would only like to make one request:

    Could you implement a switch that, when used, would also trigger the cmd for removable drives ALREADY connected at the moment the program is started?
    This would be useful in situations like when the computer is turned on or the user logs on with the USB removable drive already connected.

    Thank you again!

    Comment by ZORAX — Sunday 29 June 2008 @ 17:35

  71. Interesting suggestion, which shouldn’t be too hard to implement. If more than one USB drive is already connected, I’ll launch parallel scans (that’s probably easier to code than sequential).

    Comment by Didier Stevens — Monday 30 June 2008 @ 21:25

  72. Hello Again Didier,

    Is it possible to have the ‘volume name’(%v), and ’serial number’(%s) appear in the scan log for each drive? If yes, what syntax should be used?

    Thanks in advance.

    -srd-

    Comment by Sheldon — Wednesday 2 July 2008 @ 22:31

  73. what’s the command line for AVG Free 8 ?

    Comment by harold — Sunday 6 July 2008 @ 10:37

  74. @Harold:
    Take a look here for some configurations:
    http://www.ditii.com/2008/04/14/usbvirusscan-automatic-virus-scanning-when-plug-in-usb-flash-drive/

    Comment by Didier Stevens — Tuesday 8 July 2008 @ 19:29

  75. @Sheldon:

    The scan log is written by the AV scanner, so you should research your AV product to see if you can pass parameters for the log, but I doubt this would be supported. What you could do is use the %v and %s parameters to build the name of the log file.

    Comment by Didier Stevens — Tuesday 8 July 2008 @ 19:32

  76. Should be useful for non-U3 USB drives. Personally I’ve got a SanDisk Cruzer with avast! and XoftSpy Portable, and that seems to be enough for me ;)

    Comment by PCSecurityExpert — Tuesday 15 July 2008 @ 12:55

  77. Thanks for this great program Didier. I’ve been working with Sheldon and we’ve managed to get it up and running in two computer labs here at the University and it’s working great. As far as an auto-startup or running as a service, as some people have been mentioning, we’ve set up a scheduled task that runs on user logon on all the computers, and that works really well. I do have one question though: Is there a way for the program to execute a particular command on device removal? Or does that require additional modification of the exe?

    Comment by Dave — Tuesday 15 July 2008 @ 16:31

  78. No, USBVirusScan only triggers on device insertion (DBT_DEVICEARRIVAL wParam for message WM_DEVICECHANGE, to be precise). But it’s really simple to trigger also on device removal (that would be DBT_DEVICEREMOVECOMPLETE).

    I can add this in a new version. I would add a new switch (-r) to instruct USBVirusScan to start the command also at device removal, and a new placeholder (%e for event) equal to A when a device is inserted, and R when a device is removed.
    Then you write a script as the command to be launched by USBVirusScan when a drive is inserted or removed. In your script, you test for the value of %e and then decide if it needs to perform a AV scan (insert) or another command (remove).
    At removal, you can only use the %e and %d placeholders. The others make no sense when removing a device.

    Would this suit your need?

    Comment by Didier Stevens — Tuesday 15 July 2008 @ 18:48

  79. That sounds perfect. I’m actually trying to do the same here on my end, mostly for experience and to get a better feel for how the program works internally. Most of it makes perfect sense to me, the only part that’s difficult is knowing how to use the functions that aren’t defined in the .c file itself, mainly since I don’t know where the .h files you include at the beginning are located. We’re both looking forward to seeing the latest version of the program once it’s complete.

    Comment by Dave — Thursday 17 July 2008 @ 13:39

  80. You’re probably talking about the Windows API. Look these functions up in MSDN: http://msdn.microsoft.com/en-us/library/default.aspx

    Comment by Didier Stevens — Thursday 17 July 2008 @ 18:44

  81. [...] large amounts of crap.  Also has cool pacman hourglass-equivalent icon while analyzing your drive. USBVirusScan – Needs some setup (futzing witha batch file or VBS file), but in the end will execute a program [...]

    Pingback by Ploofle » Blog Archive » Software list — Tuesday 12 August 2008 @ 8:36

  82. This is a great program. I wanna whether the command line option can take it multiple commands, so I can use different AV products to scan the usb drive. In my case several Av products are installed, launch one AV at a time.After scanning unload the AV and launch the next and so on.

    Comment by John — Tuesday 19 August 2008 @ 9:51

  83. No, but call your AVs by doing one of the following:
    - create a .BAT file
    - create a VBscript
    - start cmd with the command separator &&, example: cmd /c dir %d && pause

    Comment by Didier Stevens — Tuesday 19 August 2008 @ 10:50

  84. For CA Etrust and CA ITM use:
    start USBVirusScan.exe -i -e -s “C:\Program Files\CA\eTrustITM\Shellscn.exe” %%d: /start

    Comment by Andrew — Wednesday 17 September 2008 @ 19:25

  85. I rolled this out to 400+ desktops automatically using ZenWorks For Desktops (Novell).

    Works excellently.

    Thank you so much for solving such a huge headache for us.

    Comment by Bux — Friday 26 September 2008 @ 9:42

  86. guys,

    does anyone know how to make this run in avg 8?
    thanks for the help

    Comment by Vic — Monday 29 September 2008 @ 7:43

  87. Good day Didier,

    I need your help. I just got the program working. My .bat file looks like this:

    USBVirusScan.exe “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.com” scan /REMDRIVES /i3 /RA:scanlog.txt

    I don’t know if there’s something wrong with the command line but it does the job and makes a log of the scan done. I set the .bat file to run during starup. Just like Kelly Whitaker (comment #53). I would like to know how to automatically close the command line box.

    [quote="Kelly Whitaker"]#53

    This is a great program – so handy! Thanks!
    I’m trying to set this up on all our PCs (25 in all). I’m using the -ci options and putting the .bat in the startup. Unfortunately I can’t get it to work invisibly… the command line box stays up until it’s closed by the user. How can I get this to close automatically? Here is my .bat file…
    “c:\Program Files\USBVirusScan\USBVirusScan.exe” -ci “c:\Program Files\McAfee\VirusScan Enterprise\csscan.exe” /secure /quiet /log “c:\Program Files\USBVirusScan\USBvirusScanlog.txt” %%c:

    TIA!
    Kelly

    Comment by Kelly Whitaker — Tuesday 19 February 2008 @ 17:49[/quote]

    Comment by nikitaluger — Wednesday 15 October 2008 @ 19:57

  88. How do you make Windows start your bat file at startup? Do you put it in the Startup folder?

    Comment by Didier Stevens — Wednesday 15 October 2008 @ 20:55

  89. Great program! Didier for president!
    There’s only one thing missing for me: The syntax for die %v parameter. Would it be “…USBVirusScan.exe” %v”volumename” ?
    Thanx in advance!

    Comment by Holger — Sunday 19 October 2008 @ 16:18

  90. No, the % parameters are replaced by their value when a USB stick is inserted. For the %v parameter, USBVirusScan will replace it with the volumename of the inserted drive. But if your USB stick has no volumename, %v is equal to the empty string.

    Comment by Didier Stevens — Tuesday 21 October 2008 @ 21:54

  91. Hello,
    Thanks Didier for the script! I am running UBSVirusScan with AutoRunGuard. I recently upgraded to AVG 8 Free Edition and I am working on creating the new command needed to call AVG as a command line scanner. I have almost figured it out, but I need some help to tweak the command. Once the command works, I would like to post it on the AutoRunGuard forum: http://autorun.synthasite.com/.

    So far, my start.bat file in USBVirusScan only calls AutoRunGuard:

    In AutoRunGuard, my current command line to call AVG8 is:

    When I insert a USB drive, the terminal appears and I am given the option to open the drive or scan for viruses. If I select scan, the program calls AVG, but it appears that AVG doesn’t actually scan the drive since the number of scanned objects = 0 (and there are many files on my drive). Here is the exact readout when I call AVG:

    Any ideas about what is going on? Thanks very much. Before I used the setup with the given command for AVG 7 Professional Edition, but I’m not sure how to update the command.

    Thanks in advance!

    Comment by Nate — Thursday 23 October 2008 @ 7:36

  92. Apologies, for some reason the quotes that should have been inserted in the above post were not included. Here are the quotes again.

    start.bat file:
    USBVirusScan.exe “c:\Program Files\AutoRunGuard\AutoRunGuard.cmd” /target %%g: /secure /quiet /log c:\log.txt

    command line for AVG8:
    “%ProgramFiles%\AVG\AVG8\avgscanx.exe” /EXT=* /NOBOOT /NOMEM /SCAN /NOSELF /NOHIMEM /ARC “%d%\”

    readout from terminal upon calling AVG8:
    AVG 8.0 Anti-Virus command line scanner
    Copyright (c) 1992 – 2008 AVG Technologies
    Program version 8.0.145, engine 8.0.0
    Virus Database: Version 270.8.2/1740 2008-10-22

    Objects scanned : 0
    Found infections : 0
    Found PUPs : 0
    Healed infections : 0
    Healed PUPs : 0
    Warnings : 0

    Comment by Nate — Thursday 23 October 2008 @ 7:39

  93. I don’t know AutoRunGuard, but USBVirusScan has no %g parameter.

    And if it is USBVirusScan that starts the command-line for AVG8, you should write “%d:\” for the drive, not “%d%\”.
    %d is the drive letter (e.g C), not the drive (e.g. C:).

    Comment by Didier Stevens — Thursday 23 October 2008 @ 7:57

  94. Thanks Didier,

    Maybe I’m making it too complicated here. I am going to try to have USBVirusScan call AVG8 directly. I admit I’m new to editing batch files, so this may be part of my problem. Although I would eventually like to define specific actions based on volume information as you note in your introduction at the top, for now I just need to get the AVG scan working each time a USB device is inserted.

    This is what my start.bat file contains at the moment:
    USBVirusScan.exe “c:\%ProgramFiles%\AVG\AVG8\avgscanx.exe” /EXT=* /NOBOOT /NOMEM /SCAN /NOSELF /NOHIMEM /ARC “%d:\” /log c:\log.txt
    USBVirusScan notepad.exe %d:\readme.txt

    When I doubleclick the .exe file to run the program, I get the following message:
    USBVirusScan requires the AV-scan command as command-line argument.

    There are then some notes about constructing the command and a sample command for McAffee. If I click ok, the program closes.

    I suspect I am making a very simple mistake, but any pointers would be much appreciated.

    Thanks!

    Comment by Nate — Thursday 23 October 2008 @ 14:39

  95. You must execute start.bat, not the .exe. The BAT file will start the executable.
    And start.bat should only call UsbVirusScan.exe once.

    Comment by Didier Stevens — Thursday 23 October 2008 @ 17:52

  96. Ok, I’m making progress. I’ve adjusted the bat file to read:
    USBVirusScan.exe “c:\ProgramFiles\AVG\AVG8\avgscanx.exe” /EXT=* /NOBOOT /NOMEM /SCAN /NOSELF /NOHIMEM /ARC “%d:\” /log c:\log.txt

    I can now launch the program by executing the bat. However, when I insert a USB drive nothing happens. No errors, but apparently no scans either. My command line definitely points to the correct file, so I’m not sure what to check next. Any ideas?

    Comment by Nate — Friday 24 October 2008 @ 14:44

  97. Flag -d adds debugging support to USBVirusScan. When this flag is present, USBVirusScan will write debug output when drives are inserted. This debug output can be viewed with DebugView. http://www.microsoft.com/technet/sysinternals/utilities/debugview.mspx

    So start DebugView.
    Then start your command with the -d flag:
    USBVirusScan.exe -d “c:\ProgramFiles\AVG\AVG8\avgscanx.exe” /EXT=* /NOBOOT /NOMEM /SCAN /NOSELF /NOHIMEM /ARC “%d:\” /log c:\log.txt
    Insert a USB stick and look at the messages appearing in debugview.

    Comment by Didier Stevens — Friday 24 October 2008 @ 17:30

  98. Done. Here’s the readout. I note the serial number is displayed, which is handy. I’m not sure how to interpret the readout, though.
    00000000 0.00000000 [2144] Drive G: inserted.
    00000001 0.00000000 [2144] Volume name: NJ DRIVE
    00000002 0.00000000 [2144] Serial number: 152F0FD3
    00000003 0.00000000 [2144] Filesystem: FAT
    00000004 0.00019192 [2144] “c:\ProgramFiles\AVG\AVG8\avgscanx.exeö /EXT=* /NOBOOT /NOMEM /SCAN /NOSELF /NOHIMEM /ARC ô\” /log c:\log.txt
    00000005 0.00022908 [2144] “c:\ProgramFiles\AVG\AVG8\avgscanx.exeö /EXT=* /NOBOOT /NOMEM /SCAN /NOSELF /NOHIMEM /ARC ô\” /log c:\log.txt

    Comment by Nate — Saturday 25 October 2008 @ 2:58

  99. EDIT: is AVG8 somehow launching twice?

    Comment by Nate — Saturday 25 October 2008 @ 3:07

  100. No, AVG is not launched twice. Line 4 is the command before parameter substitution, line 5 is the command with parameter substitution, exactly as it will be running. Can you check if you’re are using the correct double quotes character? That’s hexadecimal 22. Or mail me your BAT file if you’re not sure.

    Comment by Didier Stevens — Saturday 25 October 2008 @ 8:56

  101. I’m pretty sure it’s hex 22, but I couldn’t find a way to test it for sure. I have no other double quotes character anywhere on my laptop keyboard. I tried to email you the BAT file but the mail got returned as a security hazard. Maybe you can clear my email address so I can resend?

    Comment by Nate — Saturday 25 October 2008 @ 11:41

  102. [...] Scaricare UsbVirusScan dal suo sito ufficiale [...]

    Pingback by Come avviare una scansione antivirus automatica all’inserimento delle penne USB nel PC « Inco51’s Blog — Saturday 25 October 2008 @ 18:32

  103. RESOLVED: With assistance from Didier I discovered the correct command line argument to start AVG8 free and perform a scan successfully. The problem was specifying the correct path after the SCAN parameter.
    The command line argument below worked for me:
    USBVirusScan.exe -d “c:\Program Files\AVG\AVG8\avgscanx.exe” /EXT=* /SCAN=”%%d:\” /ARC “%%d:\” /log c:\log.txt

    Comment by Nate — Tuesday 28 October 2008 @ 12:11

  104. Hi!, I only want make a question: Can I use USBVirusScan on Linux OS, like Fedora?

    Well, I hope soon response, best regards,

    Comment by MaryG — Wednesday 19 November 2008 @ 21:21

  105. No, USBVirusScan is a win32 program.

    Comment by Didier Stevens — Wednesday 19 November 2008 @ 21:25

  106. Thanks for a great program. It is a very good tool. I have it set-up like Kelly Whitaker, with it launching as a user logs in and then whenever portable media is inserted it scans and creates a log. I have question about detection. I am using McAfee 8.5i and USBVirusscan creates a log for me that is appended at the end but, do I need to review this log after every scan or will McAfee give me a pop up with the detection and action taken if something is found? I have been trying to get the log to display after it scans a device by editing my startUSBVirusScan.bat currently:
    “c:\Program Files\USBVirusScan\USBVirusScan.exe” -ce
    “c:\Program Files\McAfee\VirusScan Enterprise\csscan.exe” /secure /quiet /log “c:\Program Files\USBVirusScan\USBvirusScanlog.txt” %%c:
    start iexplore “C:\Program Files\USBVirusScan\USBvirusScanlog.txt”
    cls
    It works fine from a command line but, does everything but display the log when a USB is inserted. Any help appreciated.
    Thanks

    Comment by Rob Hoag — Tuesday 9 December 2008 @ 21:41

  107. You should make 2 bat files. One to start USBVirusScan, for example at logon time. And a second one to execute when a USB stick is inserted. My examples assume the bat files are stored in the root directory, you’ll have to adapt that to your liking.

    startUSBVirusScan.bat:
    “c:\Program Files\USBVirusScan\USBVirusScan.exe” -ce c:\scanusb.bat %%c:

    scanusb.bat:
    “c:\Program Files\McAfee\VirusScan Enterprise\csscan.exe” /secure /quiet /log “c:\Program Files\USBVirusScan\USBvirusScanlog.txt” %1
    notepad “C:\Program Files\USBVirusScan\USBvirusScanlog.txt”
    cls

    And you won’t get pop-ups alerting you for a detected virus, because this is an on-demand-scan.

    Comment by Didier Stevens — Wednesday 10 December 2008 @ 21:15

  108. [...] Martin, Schau Dir einmal dieses Tool an >>> http://blog.didierstevens.com/programs/usbvirusscan/ Es heisst USBVirusScan weil der Autor die Sticks scannen lassen wollte… In Wirklichkeit [...]

    Pingback by ereignisgesteuerte Synchronisierung von Ordnern - PC-WELT - FORUM — Sunday 14 December 2008 @ 2:04

  109. Hi,

    Nice way, I got my own recipe using Portable ClamAV + Windows batch + Autorun.inf. Check it out here:

    http://extremesecurity.blogspot.com/2008/06/usb-dongle-auto-malwares-scanning-with.html

    Cheers ;]

    Comment by Aa'ed Alqarta — Sunday 14 December 2008 @ 16:35

  110. [...] Scaricare UsbVirusScan dal suo sito ufficiale [...]

    Pingback by Guide : Guide e applicazioni Web — Wednesday 17 December 2008 @ 19:21

  111. [...] I need command line scaner to use this http://blog.didierstevens.com/programs/usbvirusscan/. 2. Why u prefer 3rd party tools in place of free Microsoft Windows defender + real time [...]

    Pingback by i need a Good free security combination - Raymond.CC Forum — Friday 2 January 2009 @ 7:47

  112. Hello there! It’s really useful program, but every time when it starts scan only C: :( Where is the mistake?

    USBVirusScan.exe -s -c “C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe” /GUIMODE=2 /PATH= “F:\”

    …and -c is not working.
    Thank u in advance :)

    Comment by Porter — Wednesday 14 January 2009 @ 22:28

  113. What happens when you type

    “C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe” /GUIMODE=2 /PATH= “F:\”

    directly in the command line? Does F: get scanned or C:? If it’s C:, then this means your Avira /PATH command is wrong. Is the space necessary?

    Comment by Didier Stevens — Thursday 15 January 2009 @ 9:44

  114. These are examples from Avira’s support site:
    C:\Program Files\Avira\AntiVir …\avscan.exe /CFG=”C:\Program Files\Avira\AntiVir …\scan.avp”
    C:\Program Files\Avira\AntiVir …\avscan.exe /PATH=”%WINDIR%”
    C:\Program Files\Avira\AntiVir …\avscan.exe /PATH=”C:\Downloads\”
    C:\Program Files\Avira\AntiVir …\avscan.exe /PATH=”C:\Downloads\%1″
    This is the last line I’ve used:
    USBVirusScan.exe -s -c “C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe” /GUIMODE=2 /PATH=“G:\”
    I’ve tryied many combinations, but it doesn’t matter what is after /PATH= … it scans C:\windows and later C:\documents…
    Most probably the fault isn’t in your program, but this make me angry :(
    Thank you for your time

    Comment by Porter — Thursday 15 January 2009 @ 18:09

  115. Finaly – it’s working with AVIRA FREE Personal edition:)
    But I follow one other instructions on Avira’s support site (http://www.avira.com/en/support/faq/details.html?id=229) and I’ve downloaded filescan.avp file.
    And then – voila:
    USBVirusScan.exe -s -c “C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe” /GUIMODE=2 /CFG=”C:\Program Files\Avira\AntiVir PersonalEdition Classic\filescan.avp” /PATH=”g:\”
    Thank you again :)

    Comment by Porter — Thursday 15 January 2009 @ 18:22

  117. [...] Algunos antivirus tienen la opción para escanear todos los dispositivos que conectemos al equipo, si el nuestro no lo tiene, tenemos que usar el programa USBVirusScan. [...]

    Pingback by Te Ayudo- Proteger/limpiar de virus nuestro mp3, iPod, Disco USB, cámara. — Sunday 25 January 2009 @ 21:07

  118. How do I get it to work in symantec end point protection.

    Thank u

    Comment by alan — Sunday 8 February 2009 @ 21:12

  119. For end point protection? Doesn’t it scan USB drives?

    Comment by Didier Stevens — Thursday 12 February 2009 @ 15:40

  120. Hi Again

    I’m trying to edit the Start batch file to run with Symantec AntiVirus endpoint protection. I need the command for that.

    Thank u

    Comment by alan — Sunday 15 February 2009 @ 19:00

  121. Hey Didier,

    Funny that Alan just asked you about Endpoint… I’m attempting to use your solution with it as well. I’ve pretty much given up on Endpoint and gone back to AV 10. I’ve been all over Symantec’s boards attempting to find a way of getting it to work with USBVirusScan, but haven’t found any solutions yet. I would love if you were able to find something I missed.

    As for Endpoint scanning USB drives, the answer is yes and no. Endpoint relies exclusively on ActiveThreat detection, and therefore is only paying attention to executions from the drives. You can use the Right-Click context menu to manually scan a drive in its entirety, but there’s no flag within the application to automatically conduct a full file scan of a particular drive upon insertion. They say they’ll look into adding this to a subsequent version.

    Thanks for all your work on this.

    -Tim

    Comment by Tim — Wednesday 18 February 2009 @ 1:52

  122. @Tim: thanks for the feedback.

    @Alan: apparently Symantec AntiVirus endpoint protection has no command-line to scan a drive.

    Comment by Didier Stevens — Friday 20 February 2009 @ 8:29

  123. [...] Scaricare UsbVirusScan dal suo sito ufficiale 2. Scompattarlo in una qualsiasi cartella 3. Fare click destro e selezionare Modifica sul file [...]

    Pingback by Antivirus e penne USB « Risorse Free online’s Blog — Friday 20 February 2009 @ 11:11

  124. [...] Usb Virus Scan [...]

    Pingback by 10 Usb Flash Drive Freeware Programs | JonnysBlog — Friday 27 February 2009 @ 22:02

  125. Great tool, I have included in my roundup of 10 usb tools here:

    http://www.jonnysblog.com/2009/02/27/10-usb-flash-drive-freeware-programs/

    Cheers :)

    Comment by Jonny — Tuesday 17 March 2009 @ 18:56

  126. [...] Scaricare UsbVirusScan dal suo sito ufficiale [...]

    Pingback by Software-for-you » Blog Archive » Guide — Friday 20 March 2009 @ 9:06

  127. hey there

    will you be adding ‘run as a service’ option pretty soon?

    Thanks

    Comment by raj — Friday 20 March 2009 @ 18:09

  128. Not soon, maybe in a couple of months.

    Comment by Didier Stevens — Friday 20 March 2009 @ 18:19

  129. Thanks for the great app. Its been handy.
    But, can you implant an ignore switch?
    I have few external hard disk plug into my laptop, and i’d wish my anti virus would ignore scanning them.
    lets say, the switch would be:
    Don’t execute commands if X file exist in the plugged in device.

    thanks again

    Comment by Fendi — Tuesday 14 April 2009 @ 10:45

  130. Because it’s easy to do this in a script called by USBVirusScan, I don’t add such a feature to the tool.

    Comment by Didier Stevens — Friday 17 April 2009 @ 22:29

  131. Sorry, I’m very new at this. I’m using avg 8 and copied the script from #103 Nate, but don’t konw if it works or not. Will a GUI come up from my antivirus, or does the command line scanner just scan the usb? If so, is there any confirmation of the scan completion, etc? Here’s my debugger log if it helps…

    [4764] Drive F: inserted.
    [4764] Volume name: MEMORY 8000
    [4764] Serial number: C43166CE
    [4764] Filesystem: FAT32
    [4764] ôc:\Program Files\AVG\AVG8\avgscanx.exeö /EXT=* /SCAN=ö%d:\ö /ARC ô%d:\ö /log c:\log.txt
    [4764] ôc:\Program Files\AVG\AVG8\avgscanx.exeö /EXT=* /SCAN=öF:\ö /ARC ôF:\ö /log c:\log.txt

    Also, will the program start on startup, or is there something I need to do?

    Thanks!

    Comment by Ashley — Thursday 23 April 2009 @ 7:33

  132. Good idea to include the debug. This definitively shows that USBVirusScan is working and is starting AVG.
    Open in file c:\log.txt and look at the report to see if AVG scanned your USB stick.

    No, USBVirusScan will not run on startup, you’ve to include it in one of the many autoruns, for example your startup folder of your startmenu.

    Comment by Didier Stevens — Thursday 23 April 2009 @ 14:25

  133. COnsole WIndow is not closing with -c option please help

    Comment by KAPS — Thursday 30 April 2009 @ 11:27

  134. @KAPS Please provide more details, commands.

    Comment by Didier Stevens — Thursday 30 April 2009 @ 12:25

  135. hi, i am trying to run a .bat file to assign a drive letter to the flash inserted in the computer before it scans for viruses.

    i am using mcafee enterprise 8.5i, it loops the .bat when i type it in commaand line.

    this is how i did it, anything i did wrong?

    “C:\Documents and Settings\user\Desktop\USBVirusScan_V1_7_2\USBVirusScan\USBVirusScan.exe” “usb.bat” “C:\Program Files\McAfee\VirusScan Enterprise\csscan.exe” /secure /log c:\log.txt %%c:

    lemme know please, this is urgent.

    Comment by Clive — Wednesday 6 May 2009 @ 13:30

  136. So you want to execute usb.bat and then csscan? It won’t work the way you did it.
    You have to create a bat file, let’s call is master.bat, that will call usb.bat and then start csscan.
    master.bat has to be passed as argument to USBVirusScan.exe with the drive as parameter, like this (assuming master.bat is in the c:\bin directory):
    USBVirusScan.exe c:\bin\master.bat %%c:

    Comment by Didier Stevens — Wednesday 6 May 2009 @ 15:06

  137. I want to assign a letter O and then scan it for viruses, so it should launch the usb.batthen scan with mcafee.

    this is what i have.

    “usb.bat” %%c: “C:\Program files\mcafee\virusscan enterprise\csscan.exe” /log c:\log.txt %%c:

    what should i change?

    Comment by Clive — Thursday 7 May 2009 @ 7:03

  138. There’s something I don’t get. How can you assign it the letter O? What is the content of usb.bat?

    Comment by Didier Stevens — Thursday 7 May 2009 @ 7:52

  139. usb.bat contains this

    diskpart /s disk.txt

    i run a diskpart script to change drive letter

    the disk.txt looks like this

    select volume 3
    assign letter=o
    exit

    i want it to change the drive letter because we have network dives that take up F:

    when i start the program from the above command line in my previous comment it loops and doesnt scan, please help.

    Comment by Clive — Thursday 7 May 2009 @ 7:58

  140. So the USB stick will always be on drive O:?

    then add the csscan.exe command to usb.bat:
    diskpart /s disk.txt
    C:\Program files\mcafee\virusscan enterprise\csscan.exe /log c:\log.txt O:

    And just call usb.bat:
    “C:\Documents and Settings\user\Desktop\USBVirusScan_V1_7_2\USBVirusScan\USBVirusScan.exe” “usb.bat”

    Comment by Didier Stevens — Thursday 7 May 2009 @ 8:49

  141. im gonna test it soon. ill let you know.

    Comment by Clive — Thursday 7 May 2009 @ 9:30

  142. it works!! shot buddy!

    i got USBVirus scan calling start.bat which looks like this

    @echo off
    if exist F: (usb.bat) ELSE “C:\Program files\mcafee\virusscan enterprise\csscan.exe” /target %o: /log c:\FlashScan.txt

    so that will cancel ucb.bat if the flash is already changed to o:. i changed the command line a bit for the virus scan as you can see, but thanks for your help! appreciatte it buddy.

    Comment by Anonymous — Thursday 7 May 2009 @ 9:54

  143. Hi again, i get the program to work if i start it myself in windows.

    but when i start it at startup, via registry, gpedit.msc’s startup script function or even the startup folder it does not work, it shows up in task manager as i used the -i command, when i kill it in taskmanager and restart it from the same file which is startup.bat it works.

    why does it not work on startup?
    i need help please guy, i know im prob irritating but i need to get this right.

    how would you start it at startup?

    Comment by clive — Thursday 7 May 2009 @ 13:06

  144. It’s probably an issue with the current directory being different between a manual start and an automatic start. Maybe you need to provide an absolute path to the bat file.

    So instead of

    “C:\Documents and Settings\user\Desktop\USBVirusScan_V1_7_2\USBVirusScan\USBVirusScan.exe” “start.bat”

    do

    “C:\Documents and Settings\user\Desktop\USBVirusScan_V1_7_2\USBVirusScan\USBVirusScan.exe” “C:\Documents and Settings\user\Desktop\USBVirusScan_V1_7_2\USBVirusScan\start.bat”

    Assuming start.bat is in the same folder as USBVirusScan.exe

    Another option is to use the Scheduler to schedule a task to run at logon. With the scheduler, you can provide a working directory.

    Comment by Didier Stevens — Thursday 7 May 2009 @ 13:12

  145. ok thanks, dam im missing the simple stuff.

    one last thing, im starting the .exe from a .bat, how do i hide the cmd window it stays open. it contains this.

    “C:\USBVirusScan\USBVirusScan.exe” -c -e -s “C:\USBVirusScan\start.bat” %%c:

    i added the absolute path. thanks.

    when i open the startup.bat it leaves a cmd window open

    Comment by clive — Thursday 7 May 2009 @ 13:21

  146. Use the Task Scheduler and give it your command directly (i.e. with arguments):
    “C:\USBVirusScan\USBVirusScan.exe” -c -e -s “C:\USBVirusScan\start.bat” %%c:

    This way, no cmd.exe will be started to run the .bat file.

    Comment by Didier Stevens — Thursday 7 May 2009 @ 13:30

  147. yeah i did that now, thanks dude, you will go far, im suprised you havnt thought of selling this to someone, you will make millions. dude copyright it as soon as possible. you can make money off it.

    thanks a million for your help.
    i’ll definitely tell people about your site ;-)

    Comment by clive — Thursday 7 May 2009 @ 13:38

  148. Is it anyway possible to avoid access to the removable drive or memory stick until the virusscan is completely finished? So whenever someone inserts a usb stick it should not popup in explorer until the virusscan is completed and if the stick is contaminated with a virus it should immediately disappear when the virusscanner fails to remove it (so not be accessible). Is this possible?

    Comment by Geert — Monday 1 June 2009 @ 17:59

  149. No, not with the techniques used by USBVirusScan (USBVirusScan doesn’t require instalaltion and also works for restricted user accounts). One way to do this would be to develop a specific mini filter, like my ARIAD tool: http://blog.didierstevens.com/programs/ariad/

    Comment by Didier Stevens — Tuesday 2 June 2009 @ 8:37

  150. Hi Didier!

    I was able to make USBVirusScan v1.7.2 prompt whenever an USB is inserted however, no scanning happens. I am using an ESET NOD32 Business Edition. what seems to be the problem?

    Below are the contents of my start.bat:
    USBVirusScan.exe “C:\Program Files\ESET\ESET NOD32 Antivirus\ecls.exe” /action=clean %%c: /secure /quiet /log c:\log.txt

    When I insert an USB, it’s always drive F:

    Hope you could help me on this. Thanks!

    Comment by macwlm — Friday 28 August 2009 @ 7:51

  151. @macwlm

    I suggest you use the debug option to see what the exact commands are issued by USBVirusScan. I explained in comment 97 how to do this.

    Comment by Didier Stevens — Friday 28 August 2009 @ 11:23

  152. Didier Stevens, Is it not possible to work with Symantec Endpoint Protection? Please suggest !!! Thanks.

    Comment by Harikrishnan — Tuesday 13 October 2009 @ 15:32

  153. It probably is possible, but I’m not familiar with SEP’s command-line.
    How do you perform a scan from the command line?

    Comment by Didier Stevens — Tuesday 13 October 2009 @ 16:40

  154. [...] : Equivalents Windows : USBDumper et USBVirusScan (Merci [...]

    Pingback by Danger pour les clés usb | Time0ut — Wednesday 14 October 2009 @ 7:55

  155. I could not get the program running under task manager.
    Instead, I’ve used visual basic.
    — startusb.cmd —
    @echo off
    c:
    cd\
    cscript C:\USBVirusScan\startusb.vbs
    ——————–

    — startusb.vbs —
    Set WshShell = WScript.CreateObject(“WScript.Shell”)
    obj = WshShell.Run(“C:\USBVirusScan\USBVirusScan.exe -ce C:\USBVirusScan\scanUSB.cmd clean %%c:”, 0)
    set WshShell = Nothing
    ——————–

    Use startusb.cmd in startup folder, or GPO.

    Comment by EvylRat — Tuesday 20 October 2009 @ 10:02

  156. Spoke too soon, does not work :(

    Comment by EvylRat — Tuesday 20 October 2009 @ 10:25

  157. Dear Didier Stevens.
    Could you please put in public domain(or send me by email) your first version of this tool. Since the directory listing is denied I can’t get it by myself. I just want to look at that sources cause it’s much more easier to investigate someone’s code when you begin with the initial idea(“28/09/2006: Start development” as it stated in the History section in USBVirusScan.c). Thanks in advance!
    PS USBVirusScan is a great candidate to be hosted on sf.net ;) !

    Comment by NA — Tuesday 3 November 2009 @ 18:26

  158. The oldest version in the folder is USBVirusScan_V1_1_0.zip, you can download it.

    Comment by Didier Stevens — Wednesday 4 November 2009 @ 20:41

  159. Didier,

    I am trying to get USBVirusScan to run with Norman Anti-Virus. I am informed that the exe to run from Norman is called Nvcc.exe. So i try the following cmd;
    USBVirusScan “C:\NORMAN\Nvc\Bin\Nvcc.exe”

    Here are the available switches;

    H:\>C:\NORMAN\Nvc\Bin\Nvcc.exe /?

    NORMAN
    Norman Virus Control Version 5.99.02 for WindowsNT/2K/XP Feb 11 2009 10:38:58
    Copyright (c) 1993-2007 Norman ASA

    Available options:

    /-help Show help.
    /? Show help.
    /ALD Scan all local disks (not floppies).
    /AD Scan all disks (not floppies).
    /BS- Ignore system areas (default OFF).
    /BS+ System areas only.
    /B Do not sound alarm when infection found (default OFF).
    /CL: Repair files and boot sectors: /CL:0 no /CL:1 yes,
    /CL:2 also within archives (default in config).
    /CL Repair files and boot sectors. Same as /CL:1 (Default in config).
    /CP Scan compressed program files (default OFF).
    /C: Scan archive files: /C:0 no, /C:1 yes (default in config).
    /C Scan archive files. Same as /C:1 (default in config).
    /FLOPPY Read NSE files from separate floppy..
    /HUM Handle uncertified macros (Needs NSE\NVCMACRO.CRT from CatsClaw).
    /H Show help.
    /LG: Specify number of logfile generations (default number in Config).
    /LF: Specify fully qualified log file name (Overrides /LD: and /LG:).
    /LD: Specify directory for log files (default directory in Config).
    /L: Set logging level: /L:0=no, 1=yes, 2=verbose (Default in Config).
    /N Suppress the default memory scan.
    /O Ignore errors (default OFF).

    Type any key to continue

    /Q Quiet mode. No stdout output (default OFF).
    /R Repeat the scan (default OFF).
    /SB: Use sandbox: /SB:0=Off, /SB:1=On. (Default value in Config).
    /SN Do not allow user aborts (default OFF).
    /S Scan subdirectories (Default when scanning drives).
    /TEMP: Override environments TEMP/TMP.
    /U Do not stop on errors or when infections found (default OFF).
    /V Verbose mode (default OFF).
    /W: Wait a number of milliseconds between each file (default 0).
    /YH Abort when infection found (default OFF).

    Any advise on how we can use your tool to automatically scan USB drives when connected.

    Thanks
    Tom

    Comment by Tom — Thursday 5 November 2009 @ 11:45

  160. I’m missing the syntax to scan a specific drive. Does C:\NORMAN\Nvc\Bin\Nvcc.exe E: scan drive E: (ant no other drive)?

    Comment by Didier Stevens — Thursday 5 November 2009 @ 16:51

  161. I am trying to find out if anyone has successfully launched Microsoft Forefront using USBVirusScan on insertion of a USB Memory stick?
    MSASCui.exe will launch Forefront from the command line but it won’t launch through USBVirusScan regardless of the switches used.
    I’m using this in a batch file:
    cd: “C:\program files\Microsoft Forefront\Client Security\Client\Antimalware”
    START “IE” “c:\program files\USBVirusScan\USBVirusScan.exe” MSASCui.exe %%c:

    I have managed to get Symantec working from a batch file fine using the following syntax for anyone who is struggling with batch files:
    c:
    cd “C:\program files\symantec antivirus”
    START “IE” “C:\Program Files\USBVirusScan\USBVirusScan.exe” -i vpscan.exe /SHOWSCAN %%C:

    Comment by Lauren Tennent — Tuesday 24 November 2009 @ 6:29

  162. @Lauren

    I suggest you use the debug option to see what the exact commands are issued by USBVirusScan. I explained in comment 97 how to do this.

    Comment by Didier Stevens — Wednesday 25 November 2009 @ 10:11

  163. 00000006 140.33766174 [3444] Drive E: inserted.
    00000007 140.33766174 [3444] Volume name: UDISK 2.0
    00000008 140.33766174 [3444] Serial number: 7CCB85CF
    00000009 140.33766174 [3444] Filesystem: FAT
    00000010 140.33772278 [3444] “c:\ProgramFiles\Microsoft Forefront\Client Security\Client\Antimalware\mpcmdrun.exe”
    00000011 140.33821106 [3444] “c:\ProgramFiles\Microsoft Forefront\Client Security\Client\Antimalware\mpcmdrun.exe”

    Comment by Lauren Tennent — Wednesday 25 November 2009 @ 12:41

  164. I don’t understand how mpcmdrun.exe gets started if you don’t reference it in your command (cfr. #161). Did you change your command with which you start USBVirusScan?

    Comment by Didier Stevens — Wednesday 25 November 2009 @ 20:03

  165. Sorry I had run the wrong batch file.
    Here is the log results running the following command:

    c:
    cd “C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware”
    START “IE” “C:\Program Files\USBVirusScan\USBVirusScan.exe” -d mpcmdrun.exe -scan %%c:

    00000000 0.00000000 [3548] Drive E: inserted.
    00000001 0.00000000 [3548] Volume name:
    00000002 0.00000000 [3548] Serial number: 519A3CF1
    00000003 0.00000000 [3548] Filesystem: FAT
    00000004 0.00010996 [3548] mpcmdrun.exe -scan %c:
    00000005 0.00021037 [3548] mpcmdrun.exe -scan E:

    Using the mpcmdrun.exe -scan parameter without launching through usbvirusscan updates the signature files and then launches a full system scan. I wonder if it is failing because Forefront initially runs the signature file update?

    Comment by Lauren Tennent — Wednesday 2 December 2009 @ 7:06

  166. Don’t know. But you see that USBVirusScan starts mpcmdrun.exe -scan E:
    I believe you have to change your bat file like this:
    START “IE” “C:\Program Files\USBVirusScan\USBVirusScan.exe” -d “C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\mpcmdrun.exe” -scan %%c:

    Comment by Didier Stevens — Wednesday 2 December 2009 @ 21:30

  167. For anyone using Symantec products (SAV … not sure about SEP) …

    You can call a scan from the CMD-line of any drive you would like with VPScan.exe (http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2002100907421648).

    I haven’t tried VPScan.exe with Didier’s aforementioned scripts, but have used VPScan.exe in VBS and BAT scripts I wrote and have deployed via Altiris. Works like a champ!! I found that prefacing the Scan (VPScan.exe) with a call to VPDN_LU.exe (Live Update) will bring your SAV client up to their latest / greatest virus defs and allow the VPScan.exe to get all them mean & nasty viruses.

    Comment by Justin Baldwin — Friday 4 December 2009 @ 15:29

  168. Unless Symantec has added new features to their latest versions of Endpoint Protection, then no, calling VPScan.exe will NOT WORK! I spent a week trying to find a way to get SEP to work with USBVirusScan. Hence why in comment #121, my solution was to drop back down to the SAV line of products.

    I would really love it though if someone would prove me wrong on this point!

    Comment by Tim — Friday 4 December 2009 @ 17:46

  169. Great software, bought my granddaughter a netbook for Christmas and put on Kaspersky IS for ultra portables. Unlike it bigger brother KIS 2010 there is no function for auto scanning external drives and cards but this did the trick and doesn’t need any user input. If anyone is using KIS 2009 or earlier here is my batch file :-

    start USBVirusScan.exe -e c:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.com SCAN /REMDRIVES /i3 /fa

    The “start” at the beginning ensures that the CMD window closes after running (someone in an earlier post asked how to do this)
    SCAN – tells avp what to do
    /REMDRIVES – all removable dries and cards
    /i3 – Treat infected objects and if disinfection fails, delete. Delete all compound objects completely if infected parts cannot be deleted.
    /fa – Scan all files

    There are different options, seach KIS help file for scan.com

    Comment by Terry Cullen — Wednesday 9 December 2009 @ 16:08


RSS feed for comments on this post. TrackBack URI

Leave a comment

Blog at WordPress.com.