Didier Stevens

USBVirusScan

USBVirusScan will launch any program you provide as a command line parameter each time a USB stick is inserted. I use it to start a full virus scan on the inserted USB drive, hence the name.

For example, to start a cmd.exe on each USB drive you insert, you start USBVirusScan like this:

USBVirusScan cmd /k %d:

%d (or %c for legacy reasons) is a placeholder for the drive-letter of the inserted USB drive.

USBVirusScan uses a system tray icon and balloons to announce the insertion of a USB drive. If you want to hide this system tray icon, start USBVirusScan with option -i, like this:
USBVirusScan -i cmd /k %d:

You can also hide the command line console with option -c. This only works with Console applications, not with Windows applications. Option -e will disable the Exit command in the pop-up menu.

The -q switch will stop a running instance of USBVirusScan.

A new flag, -d, adds debugging support to USBVirusScan. When this flag is present, USBVirusScan will write debug output when drives are inserted. This debug output can be viewed with DebugView.

I added 3 placeholders with new versions:

  • %v is the volume name of the inserted drive
  • %s is the volume serial number of the inserted drive
  • %f is the filesystem (NTFS, FAT, …) of the inserted drive

The volume serial number is assigned by the operating system when a hard disk is formatted. It is not the serial number assigned by the manufacturer. See function GetVolumeInformation for details.

The volume name and volume serial number allow me to script different actions for the different USB drives I plug into my system. For example, when I insert my USB drive with my TrueCrypt protected data on it, my script automatically launches the TrueCrypt program to mount the drive, I just have to type the pass-phrase. Or when I insert my MP3 player, the script opens the folder with queued-up podcasts.

And for all other drives, I start a virus scan.

Here’s a Windows Script example (log.vbs) that will create a log.txt file on the inserted USB drive with the current date & time:

Dim objFSODim objTextFile

Dim strFilename
strFilename = Wscript.Arguments.Item(0) & ":log.txt"
Set objFSO = CreateObject("Scripting.FileSystemObject")

If objFSO.FileExists(strFilename) Then

	Set objTextFile = objFSO.OpenTextFile(strFilename, 8 )

Else

	Set objTextFile = objFSO.CreateTextFile(strFilename)

End If

objTextFile.WriteLine Now()

objTextFile.Close

You start it with this command: USBVirusScan.exe wscript log.vbs %d

Example of the content of the log file after inserting the USB drive twice:

14/10/2006 17:05:00

14/10/2006 17:05:21

I used sample code for system tray programming from this Code Project article, and for the rest I generate a new GUID and did some cosmetic changes to the original USBDumper code.

USBVirusScan is a 32-bit application, but it works fine on 64-bit Windows. It can launch 64-bit programs without problems, except Windows’ own applications that come in 32-bit and 64-bit versions. For example, if you configure USBVirusScan to launch calc.exe on 64-bit Windows 7, it will launch the 32-bit version of calc.exe and not the 64-bit version. This is due to the WOW64 filesystem redirection mechanism. USBVirusScan has an option (-w) to disable this WOW64 filesystem redirection (only for USBVirusScan, not for your other programs). Disabling WOW64 filesystem redirection allows USBVirusScan to launch the 64-bit version of calc.exe.

You can display a banner when a removable disk is inserted. Store the text of the banner in text file banner.txt and put this file in the same directory as USBVirusScan.exe. Option -b enables the display of the banner the first time a removable disk is mounted, and option -B enables the display of the banner the each time a removable disk is mounted.

Here is a YouTube movie showing you the program starting a virus scan. A hires (XviD) version can be found here.

Download:

USBVirusScan_V1_7_5.zip (https)
MD5: 614F200C34C56C4E9FF44506B2776633
SHA256: F5525276A647747336106683D2E7DD17CDDF0E8D6580D15C0299931215954CCA

This ZIP file contains both the executable and the source code. If you don’t plan to modify the source code of this program, you’ll only need to extract USBVirusScan.exe.

Compiled with Borland’s free C++ 5.5 compiler. Tested on Windows XP SP2, SP3, Windows Vista and Windows 7.

286 Comments »

  1. Interesting tool. Saw it mentioned on the security monkey blog.

    I don’t see instructions for using/installing it. Looking at the start.bat, I’m guessing that the program has to be installed on each usb device. If it is installed on the PC I don’t see how it would work.

    Thanks

    Comment by Rohn — Wednesday 29 November 2006 @ 7:53

  2. The program doesn’t require installation, and you don’t have to install it on each USB device.
    You just run it on the computer where the USB devices will be inserted, it listen to the events and detects when a USB device is inserted. And it doesn’t require admin rights.
    Say you want to open the readme.txt file on each USB device you insert. Run this command: USBVirusScan notepad.exe %d:\readme.txt

    Comment by Didier Stevens — Wednesday 29 November 2006 @ 18:23

  3. Thanks Didier, but I must be especially dense, I still don’t get it.

    To make the tool work follow these steps:

    1. unzip the downloaded file in a folder on the PC, any specific folder:
    /Windows/
    /System/
    /System32/
    /USBVirusscan/
    ???

    2. Edit the start.bat file, customizing it to identify actions you want taken when devices are inserted (where is it put?)

    3. what has to be done to make the PC recognize the app when USB device is inserted?
    Run a service?
    Put USBVirusscan in the startup folder?
    Put start.bat in the startup folder?
    ???

    Thanks

    Comment by Rohn — Thursday 30 November 2006 @ 8:43

  4. Fine program
    Is there a way to remove the exit option , at startup or other,,,

    I wanted to deploy it to a few workers that use USB keys. I had it start a symantec scan on the key. But the user has the ability to stop it , so there a security risk …

    Thanks

    Comment by Earl Yeo — Wednesday 6 December 2006 @ 12:48

  5. [...] new version ignores mounting of network [...]

    Pingback by USBVirusScan v1.3.0 « Didier Stevens — Monday 8 January 2007 @ 15:34

  6. [...] USB Virus Scan is a nice little command line utility that performs predefined operations if a usb drive is connected to your computer. It is able to distinguish between various drives which means that you can add custom operations for the drives that you own and a general option for drives that are not recognized. The tool uses the volume serial number of the drives to identify them and perform the operation. [...]

    Pingback by Autostart programs when a usb drive is connected » gHacks tech news — Monday 22 January 2007 @ 19:33

  7. Yeahhhh!

    Thanks a lot for this nifty piece of software :) I’m going to use it on a laptop in my car so that I can just plug any USB device with music on it.

    I make this program run Winamp for every USB device connected so that it loads all the music files on that drive, I later control Winamp with mtvoid’s Control Freak (http://mtvoid.com/) on an old Nokia 6680 through a bluetooth serial port.

    Sorted!

    Comment by Robert — Tuesday 30 January 2007 @ 17:07

  8. Didier,

    Thank you very much for this great application!! I hope I can once contribute to the Open Source community with something this useful!!

    More power to you!

    Comment by Hans Hansen — Thursday 1 February 2007 @ 7:07

  9. Great utility!!!! I am using it to update Virus Definitions and scan USB drives.
    Thanks a bunch!!!

    Comment by J Royston — Saturday 17 February 2007 @ 5:37

  10. [...] USB Virus Scan is a nice little command line utility that performs predefined operations if a usb drive is connected to your computer. It is able to distinguish between various drives which means that you can add custom operations for the drives that you own and a general option for drives that are not recognized. The tool uses the volume serial number of the drives to identify them and perform the operation. [...]

    Pingback by Autostart programs when a usb drive is connected : Tech Tips — Sunday 25 February 2007 @ 7:08

  11. Hi!
    Nice Program!

    Is it possible to add a command line option to unload the program from memory?
    It would also be nice to have an option that would disable any output if the program is already running, so that
    users that accidently find the program don’t try to kill the task or delete the program
    Thanks

    Comment by Alfredo — Wednesday 28 February 2007 @ 1:05

  12. > It would also be nice to have an option that would disable any output if the program is already running, so that
    > users that accidently find the program don’t try to kill the task or delete the program

    Do you mean a “Hide” menu entry on the systray icon that would hide the program if it’s already running?

    Comment by Didier Stevens — Wednesday 28 February 2007 @ 11:51

  13. Well, I was talking about preventing multiple executions of the usbvirusscan program, that would generate multiple icons on the system tray.
    So if the program was already running it would not load itself again. (in this case it would not display any messagem saying “program already running”, it would just terminate, ofcourse there could be an option for the first time the program is executed to say if will give a message or not in already running).

    The other option I was asking for, would be related to the one I just mentioned, If there would be 1 copy of the program in memory and in the command line parameteres I said –quit or something like that, the resident copy of the program would be unloaded.

    Thanks

    Comment by Alfredo — Sunday 4 March 2007 @ 6:25

  14. I’ve released a new version (v1.4.0) that allows only 1 running instance. Unloading the program with a command-line switch requires Inter Process Communication between 2 instances of the program, I’ll program it when I find a reliable and simple way to do this IPC.

    Comment by Didier Stevens — Tuesday 6 March 2007 @ 9:28

  15. [...] Filed under: My Software, Update — Didier Stevens @ 9:35 USBVirusScan v1.4.0 has a new “feature”: from this version on, only one instance can be running. This was [...]

    Pingback by USBVirusScan v1.4.0 « Didier Stevens — Tuesday 6 March 2007 @ 9:35

  16. super handy little prog , used it for loading 300+ usb sticks with promo info
    thanks a bunch !

    Comment by randal — Thursday 10 May 2007 @ 7:30

  17. Is it possible to make a version that will sit on the USB drive instead of the PC? So that way Truecrypt would always open regardless of what computer I plugged it into?

    I suppose the problem is that people could use that maliciously as well…

    Comment by Neil — Tuesday 19 June 2007 @ 21:35

  18. Autorun is used for this purpose, but this doesn’t work for removable drives (this is by design). Search for autorun in the FAQ: http://www.microsoft.com/whdc/device/storage/usbfaq.mspx

    http://www.u3.com has a solution: their USB sticks also simulate a CD-ROM drive. autorun works with CD-ROMs.

    Comment by Didier Stevens — Tuesday 19 June 2007 @ 21:58

  19. 我佳木斯内外民间器小那些不能期望下去小饿乘法的才a采纳按年尽可能

    Comment by 李军 — Wednesday 1 August 2007 @ 7:47

  20. 3伟大年饿非常那边外出版才

    Comment by 李军 — Wednesday 1 August 2007 @ 7:47

  21. hi

    how can i make this program work with McAfee VirusScan Enterprise 8.5i.i want this program to silently clean every USB drive i incert in my PC…with no ICON in the system tray..

    thanks

    Comment by ajay — Sunday 12 August 2007 @ 7:28

  22. Take a look at the start.bat file in the archive.

    Comment by Didier Stevens — Monday 13 August 2007 @ 20:34

  23. there is no /target option for csscan.exe which is present in the C:\Program Files\McAfee\VirusScan Enterprise\ directory .i am using new McAfee VirusScan Enterprise 8.5i…

    thank you

    Comment by ajay — Wednesday 15 August 2007 @ 9:09

  24. Hi Didier,
    Great program indeed! Congratulations. I’m trying to edit the Start batch file to run with Symantec AntiVirus but it simply starts up the program without actually performing the scan on the USB. This is what I have

    USBVirusScan.exe “c:\Program Files\Symantec AntiVirus\VPC32.exe” /target %%c: /secure /quiet /log c:\log.txt

    What do I need to change to automate the scan?
    Thanks

    Comment by Frederick — Thursday 16 August 2007 @ 9:22

  25. Indeed, just discovered that csscan of version 8.5i doesn’t accept the /target option.
    Use this in stead:
    USBVirusScan.exe “c:\Program Files\Network Associates\VirusScan\csscan.exe” /secure /quiet /log c:\log.txt %%c:

    Comment by Didier Stevens — Thursday 16 August 2007 @ 11:36

  26. I searched for the Symantec AV command-line tool, here it is explained:
    http://entkb.symantec.com/security/output/n2002100907421648.html

    Assuming that vpscan.exe is also located in the Symantec AntiVirus directory, your command would look like this:
    USBVirusScan.exe “c:\Program Files\Symantec AntiVirus\vpscan.exe” %%c:\

    Comment by Didier Stevens — Thursday 16 August 2007 @ 11:43

  27. In case somebody searches on how to use your wonderful little utility with the avast 4.7 Quick Scanner, I record this for posterity:

    USBVirusScan “C:\Program Files\Alwil Software\Avast4\ashQuick.exe” %%c: /a /c /i /p=1 /s /t=a –report

    Thank you for your nifty utility. :)

    Comment by Jerry M. — Wednesday 22 August 2007 @ 3:13

  28. Thanks for your Avast tip!

    Comment by Didier Stevens — Wednesday 22 August 2007 @ 17:48

  29. Two questions:
    Is it possible to hide the start.bat window ?
    Imagine this scenario, loading two or more usb drives, the program can only virus check one of it ? ? ?

    -/-
    For Avira Antivir Classic users:
    USBVirusScan.exe “C:\Program Files\AntiVir PersonalEdition Classic\avscan.exe” /GUIMODE=1-4 /PATH= “usb drive letter”

    Example:
    USBVirusScan.exe “C:\Program Files\AntiVir PersonalEdition Classic\avscan.exe” /GUIMODE=2 /PATH= “F:\”

    Comment by V8 — Friday 24 August 2007 @ 23:24

  30. @V8:

    If so, the syntax methinks ought to be

    USBVirusScan.exe “C:\Program Files\AntiVir PersonalEdition Classic\avscan.exe” /GUIMODE=2 /PATH= %%c:

    or maybe

    USBVirusScan.exe “C:\Program Files\AntiVir PersonalEdition Classic\avscan.exe” /GUIMODE=2 /PATH= %d:

    @Didier:

    The avast line I gave in my previous comment should be changed to

    USBVirusScan “C:\Program Files\Alwil Software\Avast4\ashQuick.exe” %d: /a /c /i /p=1 /s /t=a –report

    if it is to be used in a shortcut. I have added USBVirusScan to my startup so that my computer is prepared for whatever storage media is plugged into it. :D

    I also wish to report that USBVirusScan functions very well even after being UPX‘d. :)

    Comment by Jerry M. — Monday 27 August 2007 @ 11:09

  31. >Is it possible to hide the start.bat window ?
    It is possible to hide console programs, use the -c option.

    >Imagine this scenario, loading two or more usb drives, the program can only virus check one of it ? ? ?
    Do you mean that the AV program can only scan one drive at a time?

    Comment by Didier Stevens — Wednesday 29 August 2007 @ 20:03

  32. >Is it possible to hide the start.bat window ?
    It is possible to hide console programs, use the -c option.

    I did that, but sometimes it fails, i dont know why.

    >Imagine this scenario, loading two or more usb drives, the program can only virus check one of it ? ? ?
    Do you mean that the AV program can only scan one drive at a time?

    Yes, its impossible to scan all usb drives at the same time, the problem is the paramater (/PATH= %d:), other usb have e:\ or f:\, so the AV,fails to scan the other usb drives.

    And by the way, i notice that, USbVirusScan, detect daemon tools virtual drive/ Alcohol 120% Virtual Drive as a USB drive.
    Can u explain, why ?

    Comment by MacasJr — Thursday 30 August 2007 @ 6:38

  33. >I did that, but sometimes it fails, i dont know why.
    Maybe you’re starting another CMD or BAT from that BAT file.

    > And by the way, i notice that, USbVirusScan, detect daemon tools virtual drive/ Alcohol 120% Virtual Drive as a USB drive.
    Are you sure you are using the latest version of USBVirusScan? I also use daemon tools and it doesn’t trigger USBVirusScan. USBVirusScan is based on USBDumper, and I discovered it also triggered on network drives. So I added code in a later version of USBVirusScan to ignore these drives.

    Comment by Didier Stevens — Thursday 30 August 2007 @ 11:15

  34. >I did that, but sometimes it fails, i dont know why.
    Maybe you’re starting another CMD or BAT from that BAT file.

    - Im using a simple Shortcut to the dir that haves the usbvirusscan, start.bat file. Sometimes the cmd windows does not appear.

    > And by the way, i notice that, USbVirusScan, detect daemon tools virtual drive/ Alcohol 120% Virtual Drive as a USB drive.
    Are you sure you are using the latest version of USBVirusScan? I also use daemon tools and it doesn’t trigger USBVirusScan. USBVirusScan is based on USBDumper, and I discovered it also triggered on network drives. So I added code in a later version of USBVirusScan to ignore these drives.

    - Im using 1.5.0, and it continues to trigger usbvirusscan, do u have all emulation options enabled ?

    Check out this video: http://www.mediafire.com/?4dhovnrxjvj

    Have a nice day.

    Comment by V8 — Friday 31 August 2007 @ 23:36

  35. I was not able to reproduce your Daemon tools issue after enabling all emulation options. Which version do you use? And where can I download a safe version, because sometime ago I decided to upgrade but got a version with adware?

    Comment by Didier Stevens — Saturday 1 September 2007 @ 12:48

  36. It seems that daemon tools oficial have adware (WhenU.DAEMONTools.SearchBar), but its an option, but u can uncheck the install Daemon Toolbar box.

    Im using 4.06HE, its old.

    Comment by V8 — Saturday 1 September 2007 @ 17:28

  37. It seems that daemon tools official release has adware (WhenU.DAEMONTools.SearchBar), but it’s an option, u can uncheck the install “Daemon Toolbar box”.

    I’m using 4.06HE, it’s old.

    Comment by V8 — Saturday 1 September 2007 @ 23:28

  38. And, Stevens, what about the “multiple usb drives scan” ?

    TEST 2:
    => Two usb drives infected with “eicar test”. Can USBVIRUSSCAN command A.V to scan both drives?

    Config: USBVirusScan.exe “C:\Program Files\AntiVir PersonalEdition Classic\avscan.exe” /GUIMODE=1 /PATH= “F:\”

    VIDEO: Check this out: http://www.mediafire.com/?a3yncih0ofj

    RESULT: FAILURE, SECOND USB DISK (G:\) STILL INFECTED.

    Have a nice day . . .

    Comment by V8 — Sunday 2 September 2007 @ 1:34

  39. Stevens talk to me . . .

    Comment by V8 — Monday 3 September 2007 @ 20:28

  40. Be patient, I’ll look into it.

    Comment by Didier Stevens — Tuesday 4 September 2007 @ 10:40

  41. Ok …

    Comment by V8 — Wednesday 5 September 2007 @ 20:31

  42. Hello, no more news ? ? ?

    Comment by V8 — Tuesday 18 September 2007 @ 12:53

  43. [...] Questo programma è un derivato di USB Virus Scan di Didier [...]

    Pingback by …system bug… » Blog Archive » PSP monitor v0.5beta — Sunday 21 October 2007 @ 16:18

  44. [...] USBVirusScan 1.6.1 Filed under: My Software, Update — Didier Stevens @ 7:44 This new version of USBVirusScan adds a new placeholder %f and provides debugging [...]

    Pingback by Update: USBVirusScan 1.6.1 « Didier Stevens — Tuesday 6 November 2007 @ 7:44

  45. [...] USBVirusScan Didier Stevens __________________ cause you can’t, you won’t, and you don’t stop………… cause you can’t, you won’t, and you don’t stop………… cause you can’t, you won’t, and you don’t stop………… [...]

    Pingback by Good USB key scanner? - mcarterbrown.com — Thursday 8 November 2007 @ 14:40

  46. Dear Mr Didier,
    I think your handy USB virus cleaner is very
    useful but my problem is due to lack of knowledge I dont know how to install it and
    if you can give me step by step instructions
    i will be very thankful to you.
    thanking you,
    yours trully,
    wimal

    Comment by wimal — Friday 30 November 2007 @ 7:30

  47. how to use this program? sorry for asking but i really don’t know about this…but i’m interested!

    Comment by Bolino — Monday 14 January 2008 @ 13:34

  48. Hi everyone,

    I am trying to execute the USBVirusScan.exe using the default start.bat… however, I want it to launch another BAT file called “lnch.bat” which is set to invisible mode (using .VBS file)… but when i use the “-c” flag after executing the USBVirusScan.exe file, the window console will still show up… what is the correct command line??

    Here is mine, to launch the “lnch.bat” file, and supposively not show anything that is going on

    USBVirusScan.exe -i -c /k lnch.bat

    Comment by Esteban — Wednesday 16 January 2008 @ 0:11

  49. @Bolino
    What do you want to do with the program? If you want to scan your USB sitcks, what is your anti-virus product?

    Comment by Didier Stevens — Wednesday 16 January 2008 @ 20:53

  50. @Esteban
    Maybe your lnch.bat files launches another program or .bat file. That other program will not be invisible. You can mail me your .bat file if you want me to have a look at it.

    Comment by Didier Stevens — Wednesday 16 January 2008 @ 20:56

  51. I use this for McAfee enterprise (for those who use it):

    usbvirusscan “c:\Program Files\McAfee\VirusScan Enterprise\scan32.exe” /target %d:

    and it works beautifully. Highly recommended.

    Comment by charlene — Tuesday 12 February 2008 @ 3:40

  52. Would this program work with grisoft’s avg if so what would the command line be?

    Comment by Julie — Tuesday 19 February 2008 @ 15:29

  53. This is a great program – so handy! Thanks!
    I’m trying to set this up on all our PCs (25 in all). I’m using the -ci options and putting the .bat in the startup. Unfortunately I can’t get it to work invisibly… the command line box stays up until it’s closed by the user. How can I get this to close automatically? Here is my .bat file…
    “c:\Program Files\USBVirusScan\USBVirusScan.exe” -ci “c:\Program Files\McAfee\VirusScan Enterprise\csscan.exe” /secure /quiet /log “c:\Program Files\USBVirusScan\USBvirusScanlog.txt” %%c:

    TIA!
    Kelly

    Comment by Kelly Whitaker — Tuesday 19 February 2008 @ 17:49

  54. Hi Didier,
    I am using version 1.5 of this great tool. My question is if it is possible to run it as a service (in Win 2k and above) because I do not want to have it in the startup folder or the in the run area of HKLM.

    Cheers from Mexico
    Jürgen

    Comment by Juergen — Wednesday 20 February 2008 @ 3:27

  55. It is not programmed as a service, so you cannot install it as a service.
    But it is on my todo list.

    Comment by Didier Stevens — Thursday 21 February 2008 @ 10:08

  56. Hi there Didier, great program, where / how do insert the lines for volume name of the inserted drive or the volume serial number of the inserted drive

    cheers
    Stu

    Comment by Stu — Monday 3 March 2008 @ 12:55

  57. On the command line when you start USBVirusScan, here is an example with notepad:

    USBVirusScan notepad %s

    After you’ve started USBVirusScan like this, insert a USB drive, and USBVirusScan will launch notepad to open a file with a name that is the serial number of the USB drive.

    Comment by Didier Stevens — Tuesday 18 March 2008 @ 15:30

  58. This is a fantastic contribution, Didier! Thank you!

    To enable the user to have fuller control of what happens upon insertion/connection, I’ve written a small program called AutoRunGuard, that picks up right where USBVirusScan left off.

    It’s easy to customize the AutoRunGuard rules for whatever kind of functionality you want. For example:
    -Make an ordinary USB stick with your portable apps work like a U3 drive (Verify integrity and auto-launch.)
    -Mount a TrueCrypt volume when a specific stick is inserted.
    -Check for infection by autorun worms (even those not recognized by your AV program), and inoculate the drive from being used that way.
    -Offer a menu with relevant options, such as “Scan for viruses”, “Open in Explorer”, or whatever.

    I hope it’s helpful! It’s free! Check it out at http://autorun.synthasite.com

    Dan

    Comment by Daniel McCloy — Saturday 5 April 2008 @ 5:37

  59. I notice from your source code (FirstDriveFromMask) that USBVirusScan only invokes the cmd on the first drive letter, and ignores other simultaneous drive letter insertions. Is there a good reason for that, or would it make more sense to invoke the cmd each of them?

    Comment by Bill Rubin — Monday 7 April 2008 @ 1:23

  60. Excellent observation, it’s also something I noticed when reviewing the code (remember, I forked this from USBDumper). It’s on my todo list, along with the Windows service version.

    Comment by Didier Stevens — Monday 7 April 2008 @ 19:12

  61. [...] Scaricare UsbVirusScan dal suo sito ufficiale [...]

    Pingback by Come avviare una scansione antivirus automatica all’inserimento delle penne USB nel PC - Geekissimo — Monday 14 April 2008 @ 8:00

  62. [...] Scaricare UsbVirusScan dal suo sito ufficiale [...]

    Pingback by Tips: Come avviare una scansione antivirus automatica all’inserimento delle penne USB nel PC | FDS — Monday 14 April 2008 @ 9:34

  63. [...] software di cui parlo si chiama, non a caso, UsbVirusScan, che tramite alcuni comandi riusciremo a rendere utilissimo per ciò che vogliamo, la sicurezza che [...]

    Pingback by Come controllare la presenza di virus in una pen drive, appena questa sia inserita nel pc on Sparkblog.org — Monday 16 June 2008 @ 8:56

  64. Hello Didier,

    Thanks for such a useful tool.

    My problem is that i would like to get scan results into a “log.txt” that has the same information and similiar format as McAfee VirusScan 8.0i or 8.5i scan logs. Is this or something similiar possible? I am interested in being able to identify any viruses that are found, cleaned, moved, or deleted.

    If yes, would you please provide the code.

    Thanks in advance.
    Sheldon

    For example (McAfee VirusScan Log):

    2/27/2008 2:10:52 AM Engine version = 5.2.00
    2/27/2008 2:10:52 AM DAT version = 5236
    2/27/2008 2:10:52 AM Number of virus signatures in EXTRA.DAT = None
    2/27/2008 2:10:52 AM Names of viruses that EXTRA.DAT can detect = None
    2/27/2008 2:14:46 AM Engine version = 5.2.00
    2/27/2008 2:14:46 AM DAT version = 5238
    2/27/2008 2:14:46 AM Number of virus signatures in EXTRA.DAT = None
    2/27/2008 2:14:46 AM Names of viruses that EXTRA.DAT can detect = None

    2/27/2008 4:06:00 AM Statistics:
    2/27/2008 4:06:00 AM Files scanned: 2437
    2/27/2008 4:06:00 AM Files detected: 0
    2/27/2008 4:06:00 AM Files cleaned: 0
    2/27/2008 4:06:00 AM Files deleted: 0
    2/27/2008 4:06:00 AM Files moved: 0
    2/27/2008 12:57:45 PM Engine version = 5.2.00
    2/27/2008 12:57:45 PM DAT version = 5238
    2/27/2008 12:57:45 PM Number of virus signatures in EXTRA.DAT = None
    2/27/2008 12:57:45 PM Names of viruses that EXTRA.DAT can detect = None
    2/27/2008 1:48:45 PM Deleted NT AUTHORITY\SYSTEM svchost.exe E:\autorun.inf W32/USBCasv!inf (Trojan)

    2/27/2008 10:46:31 PM Statistics:
    2/27/2008 10:46:31 PM Files scanned: 2376
    2/27/2008 10:46:31 PM Files detected: 1
    2/27/2008 10:46:31 PM Files cleaned: 0
    2/27/2008 10:46:31 PM Files deleted: 1
    2/27/2008 10:46:31 PM Files moved: 0

    Comment by Sheldon — Monday 23 June 2008 @ 21:10

  65. Add the /log option with a file name.

    Comment by Didier Stevens — Tuesday 24 June 2008 @ 8:31

  66. So, how would I get this to work with the Trend Micro command-line scanner?

    http://esupport.trendmicro.com/support/viewxml.do?ContentID=en-117058

    How can I point it at the new (USB Drive) drive letter?

    Comment by Brandon — Thursday 26 June 2008 @ 18:34

  67. How do you do it manually? What command do you have to type to start a command-line scan of drive E:?

    Comment by Didier Stevens — Thursday 26 June 2008 @ 19:44

  68. [...] AVGFREE 7.5 USBVirusScan.exe "C:Program FilesGrisoftAVG7avgscan.exe" /clean %%c: Kaspersky Anti-Virus USBVirusScan.exe "C:Program FilesKasperksy LabKaspersky Anti-Virus 7.0avp.com scan /i3 %%c Kaspersky Internet Security USBVirusScan.exe "C:Program FilesKasperksy LabKaspersky Internet Security 7.0avp.com scan /i3 %%c Norton AntiVirus 2008 USBVirusScan.exe "C:Program FilesNorton Antivirusnavw32.exe" %%c: ESET NOD32 Antivirus USBVirusScan.exe "C:Program FilesESETESET NOD32 Antivirusecls.exe" /action=clean %%c: ClamWin USBVirusScan.exe "C:Program Files ClamWinbinclamscan.exe" — database="C:ProgramData.clamwindb" %%c: Note: ClamWin is a bit tricky because you need to specify the virus definition database location. What I provided above is the default database location in Windows Vista. To check the location of the virus definition database, run ClamWin, go to Tools > Preferences > File Locations. avast! 4 Professional USBVirusScan.exe "C:Program FilesAlwil SoftwareAvast4ashCmd.exe %%c /P=[31] Note: avast! 4 Home Edition does not support command line scanning. There are other features such as hiding USBVirusScan from appearing and etc. Do check out the official website for more information. USBVirusScan Didier Stevens [...]

    Pingback by Autorun antivirus when USB drive is inserted — Sunday 29 June 2008 @ 7:31

  69. Thank you very much for this program, it is wonderfully useful!
    I would only like to make one request:

    Could you implement a switch that, when used, would also trigger the cmd for removable drives ALREADY connected at the moment the program is started?
    This would be useful in situations like when the computer is turned on or the user logs on with the USB removable drive already connected.

    Thank you again!

    Comment by ZORAX — Sunday 29 June 2008 @ 17:35

  70. Interesting suggestion, which shouldn’t be too hard to implement. If more than one USB drive is already connected, I’ll launch parallel scans (that’s probably easier to code than sequential).

    Comment by Didier Stevens — Monday 30 June 2008 @ 21:25

  71. Hello Again Didier,

    Is it possible to have the ‘volume name’(%v), and ‘serial number’(%s) appear in the scan log for each drive? If yes, what syntax should be used?

    Thanks in advance.

    -srd-

    Comment by Sheldon — Wednesday 2 July 2008 @ 22:31

  72. what’s the command line for AVG Free 8 ?

    Comment by harold — Sunday 6 July 2008 @ 10:37

  73. @Harold:
    Take a look here for some configurations:
    http://www.ditii.com/2008/04/14/usbvirusscan-automatic-virus-scanning-when-plug-in-usb-flash-drive/

    Comment by Didier Stevens — Tuesday 8 July 2008 @ 19:29

  74. @Sheldon:

    The scan log is written by the AV scanner, so you should research your AV product to see if you can pass parameters for the log, but I doubt this would be supported. What you could do is use the %v and %s parameters to build the name of the log file.

    Comment by Didier Stevens — Tuesday 8 July 2008 @ 19:32

  75. Should be useful for non-U3 USB drives. Personally I’ve got a SanDisk Cruzer with avast! and XoftSpy Portable, and that seems to be enough for me ;)

    Comment by PCSecurityExpert — Tuesday 15 July 2008 @ 12:55

  76. Thanks for this great program Didier. I’ve been working with Sheldon and we’ve managed to get it up and running in two computer labs here at the University and it’s working great. As far as an auto-startup or running as a service, as some people have been mentioning, we’ve set up a scheduled task that runs on user logon on all the computers, and that works really well. I do have one question though: Is there a way for the program to execute a particular command on device removal? Or does that require additional modification of the exe?

    Comment by Dave — Tuesday 15 July 2008 @ 16:31

  77. No, USBVirusScan only triggers on device insertion (DBT_DEVICEARRIVAL wParam for message WM_DEVICECHANGE, to be precise). But it’s really simple to trigger also on device removal (that would be DBT_DEVICEREMOVECOMPLETE).

    I can add this in a new version. I would add a new switch (-r) to instruct USBVirusScan to start the command also at device removal, and a new placeholder (%e for event) equal to A when a device is inserted, and R when a device is removed.
    Then you write a script as the command to be launched by USBVirusScan when a drive is inserted or removed. In your script, you test for the value of %e and then decide if it needs to perform a AV scan (insert) or another command (remove).
    At removal, you can only use the %e and %d placeholders. The others make no sense when removing a device.

    Would this suit your need?

    Comment by Didier Stevens — Tuesday 15 July 2008 @ 18:48

  78. That sounds perfect. I’m actually trying to do the same here on my end, mostly for experience and to get a better feel for how the program works internally. Most of it makes perfect sense to me, the only part that’s difficult is knowing how to use the functions that aren’t defined in the .c file itself, mainly since I don’t know where the .h files you include at the beginning are located. We’re both looking forward to seeing the latest version of the program once it’s complete.

    Comment by Dave — Thursday 17 July 2008 @ 13:39

  79. You’re probably talking about the Windows API. Look these functions up in MSDN: http://msdn.microsoft.com/en-us/library/default.aspx

    Comment by Didier Stevens — Thursday 17 July 2008 @ 18:44

  80. [...] large amounts of crap.  Also has cool pacman hourglass-equivalent icon while analyzing your drive. USBVirusScan – Needs some setup (futzing witha batch file or VBS file), but in the end will execute a program [...]

    Pingback by Ploofle » Blog Archive » Software list — Tuesday 12 August 2008 @ 8:36

  81. This is a great program. I wanna whether the command line option can take it multiple commands, so I can use different AV products to scan the usb drive. In my case several Av products are installed, launch one AV at a time.After scanning unload the AV and launch the next and so on.

    Comment by John — Tuesday 19 August 2008 @ 9:51

  82. No, but call your AVs by doing one of the following:
    - create a .BAT file
    - create a VBscript
    - start cmd with the command separator &&, example: cmd /c dir %d && pause

    Comment by Didier Stevens — Tuesday 19 August 2008 @ 10:50

  83. For CA Etrust and CA ITM use:
    start USBVirusScan.exe -i -e -s “C:\Program Files\CA\eTrustITM\Shellscn.exe” %%d: /start

    Comment by Andrew — Wednesday 17 September 2008 @ 19:25

  84. I rolled this out to 400+ desktops automatically using ZenWorks For Desktops (Novell).

    Works excellently.

    Thank you so much for solving such a huge headache for us.

    Comment by Bux — Friday 26 September 2008 @ 9:42

  85. guys,

    does anyone know how to make this run in avg 8?
    thanks for the help

    Comment by Vic — Monday 29 September 2008 @ 7:43

  86. Good day Didier,

    I need your help. I just got the program working. My .bat file looks like this:

    USBVirusScan.exe “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.com” scan /REMDRIVES /i3 /RA:scanlog.txt

    I don’t know if there’s something wrong with the command line but it does the job and makes a log of the scan done. I set the .bat file to run during starup. Just like Kelly Whitaker (comment #53). I would like to know how to automatically close the command line box.

    [quote="Kelly Whitaker"]#53

    This is a great program – so handy! Thanks!
    I’m trying to set this up on all our PCs (25 in all). I’m using the -ci options and putting the .bat in the startup. Unfortunately I can’t get it to work invisibly… the command line box stays up until it’s closed by the user. How can I get this to close automatically? Here is my .bat file…
    “c:\Program Files\USBVirusScan\USBVirusScan.exe” -ci “c:\Program Files\McAfee\VirusScan Enterprise\csscan.exe” /secure /quiet /log “c:\Program Files\USBVirusScan\USBvirusScanlog.txt” %%c:

    TIA!
    Kelly

    Comment by Kelly Whitaker — Tuesday 19 February 2008 @ 17:49[/quote]

    Comment by nikitaluger — Wednesday 15 October 2008 @ 19:57

  87. How do you make Windows start your bat file at startup? Do you put it in the Startup folder?

    Comment by Didier Stevens — Wednesday 15 October 2008 @ 20:55

  88. Great program! Didier for president!
    There’s only one thing missing for me: The syntax for die %v parameter. Would it be “…USBVirusScan.exe” %v”volumename” ?
    Thanx in advance!

    Comment by Holger — Sunday 19 October 2008 @ 16:18

  89. No, the % parameters are replaced by their value when a USB stick is inserted. For the %v parameter, USBVirusScan will replace it with the volumename of the inserted drive. But if your USB stick has no volumename, %v is equal to the empty string.

    Comment by Didier Stevens — Tuesday 21 October 2008 @ 21:54

  90. Hello,
    Thanks Didier for the script! I am running UBSVirusScan with AutoRunGuard. I recently upgraded to AVG 8 Free Edition and I am working on creating the new command needed to call AVG as a command line scanner. I have almost figured it out, but I need some help to tweak the command. Once the command works, I would like to post it on the AutoRunGuard forum: http://autorun.synthasite.com/.

    So far, my start.bat file in USBVirusScan only calls AutoRunGuard:

    In AutoRunGuard, my current command line to call AVG8 is:

    When I insert a USB drive, the terminal appears and I am given the option to open the drive or scan for viruses. If I select scan, the program calls AVG, but it appears that AVG doesn’t actually scan the drive since the number of scanned objects = 0 (and there are many files on my drive). Here is the exact readout when I call AVG:

    Any ideas about what is going on? Thanks very much. Before I used the setup with the given command for AVG 7 Professional Edition, but I’m not sure how to update the command.

    Thanks in advance!

    Comment by Nate — Thursday 23 October 2008 @ 7:36

  91. Apologies, for some reason the quotes that should have been inserted in the above post were not included. Here are the quotes again.

    start.bat file:
    USBVirusScan.exe “c:\Program Files\AutoRunGuard\AutoRunGuard.cmd” /target %%g: /secure /quiet /log c:\log.txt

    command line for AVG8:
    “%ProgramFiles%\AVG\AVG8\avgscanx.exe” /EXT=* /NOBOOT /NOMEM /SCAN /NOSELF /NOHIMEM /ARC “%d%\”

    readout from terminal upon calling AVG8:
    AVG 8.0 Anti-Virus command line scanner
    Copyright (c) 1992 – 2008 AVG Technologies
    Program version 8.0.145, engine 8.0.0
    Virus Database: Version 270.8.2/1740 2008-10-22

    Objects scanned : 0
    Found infections : 0
    Found PUPs : 0
    Healed infections : 0
    Healed PUPs : 0
    Warnings : 0

    Comment by Nate — Thursday 23 October 2008 @ 7:39

  92. I don’t know AutoRunGuard, but USBVirusScan has no %g parameter.

    And if it is USBVirusScan that starts the command-line for AVG8, you should write “%d:\” for the drive, not “%d%\”.
    %d is the drive letter (e.g C), not the drive (e.g. C:).

    Comment by Didier Stevens — Thursday 23 October 2008 @ 7:57

  93. Thanks Didier,

    Maybe I’m making it too complicated here. I am going to try to have USBVirusScan call AVG8 directly. I admit I’m new to editing batch files, so this may be part of my problem. Although I would eventually like to define specific actions based on volume information as you note in your introduction at the top, for now I just need to get the AVG scan working each time a USB device is inserted.

    This is what my start.bat file contains at the moment:
    USBVirusScan.exe “c:\%ProgramFiles%\AVG\AVG8\avgscanx.exe” /EXT=* /NOBOOT /NOMEM /SCAN /NOSELF /NOHIMEM /ARC “%d:\” /log c:\log.txt
    USBVirusScan notepad.exe %d:\readme.txt

    When I doubleclick the .exe file to run the program, I get the following message:
    USBVirusScan requires the AV-scan command as command-line argument.

    There are then some notes about constructing the command and a sample command for McAffee. If I click ok, the program closes.

    I suspect I am making a very simple mistake, but any pointers would be much appreciated.

    Thanks!

    Comment by Nate — Thursday 23 October 2008 @ 14:39

  94. You must execute start.bat, not the .exe. The BAT file will start the executable.
    And start.bat should only call UsbVirusScan.exe once.

    Comment by Didier Stevens — Thursday 23 October 2008 @ 17:52

  95. Ok, I’m making progress. I’ve adjusted the bat file to read:
    USBVirusScan.exe “c:\ProgramFiles\AVG\AVG8\avgscanx.exe” /EXT=* /NOBOOT /NOMEM /SCAN /NOSELF /NOHIMEM /ARC “%d:\” /log c:\log.txt

    I can now launch the program by executing the bat. However, when I insert a USB drive nothing happens. No errors, but apparently no scans either. My command line definitely points to the correct file, so I’m not sure what to check next. Any ideas?

    Comment by Nate — Friday 24 October 2008 @ 14:44

  96. Flag -d adds debugging support to USBVirusScan. When this flag is present, USBVirusScan will write debug output when drives are inserted. This debug output can be viewed with DebugView. http://www.microsoft.com/technet/sysinternals/utilities/debugview.mspx

    So start DebugView.
    Then start your command with the -d flag:
    USBVirusScan.exe -d “c:\ProgramFiles\AVG\AVG8\avgscanx.exe” /EXT=* /NOBOOT /NOMEM /SCAN /NOSELF /NOHIMEM /ARC “%d:\” /log c:\log.txt
    Insert a USB stick and look at the messages appearing in debugview.

    Comment by Didier Stevens — Friday 24 October 2008 @ 17:30

  97. Done. Here’s the readout. I note the serial number is displayed, which is handy. I’m not sure how to interpret the readout, though.
    00000000 0.00000000 [2144] Drive G: inserted.
    00000001 0.00000000 [2144] Volume name: NJ DRIVE
    00000002 0.00000000 [2144] Serial number: 152F0FD3
    00000003 0.00000000 [2144] Filesystem: FAT
    00000004 0.00019192 [2144] “c:\ProgramFiles\AVG\AVG8\avgscanx.exeö /EXT=* /NOBOOT /NOMEM /SCAN /NOSELF /NOHIMEM /ARC ô\” /log c:\log.txt
    00000005 0.00022908 [2144] “c:\ProgramFiles\AVG\AVG8\avgscanx.exeö /EXT=* /NOBOOT /NOMEM /SCAN /NOSELF /NOHIMEM /ARC ô\” /log c:\log.txt

    Comment by Nate — Saturday 25 October 2008 @ 2:58

  98. EDIT: is AVG8 somehow launching twice?

    Comment by Nate — Saturday 25 October 2008 @ 3:07

  99. No, AVG is not launched twice. Line 4 is the command before parameter substitution, line 5 is the command with parameter substitution, exactly as it will be running. Can you check if you’re are using the correct double quotes character? That’s hexadecimal 22. Or mail me your BAT file if you’re not sure.

    Comment by Didier Stevens — Saturday 25 October 2008 @ 8:56

  100. I’m pretty sure it’s hex 22, but I couldn’t find a way to test it for sure. I have no other double quotes character anywhere on my laptop keyboard. I tried to email you the BAT file but the mail got returned as a security hazard. Maybe you can clear my email address so I can resend?

    Comment by Nate — Saturday 25 October 2008 @ 11:41

  101. [...] Scaricare UsbVirusScan dal suo sito ufficiale [...]

    Pingback by Come avviare una scansione antivirus automatica all’inserimento delle penne USB nel PC « Inco51’s Blog — Saturday 25 October 2008 @ 18:32

  102. RESOLVED: With assistance from Didier I discovered the correct command line argument to start AVG8 free and perform a scan successfully. The problem was specifying the correct path after the SCAN parameter.
    The command line argument below worked for me:
    USBVirusScan.exe -d “c:\Program Files\AVG\AVG8\avgscanx.exe” /EXT=* /SCAN=”%%d:\” /ARC “%%d:\” /log c:\log.txt

    Comment by Nate — Tuesday 28 October 2008 @ 12:11

  103. Hi!, I only want make a question: Can I use USBVirusScan on Linux OS, like Fedora?

    Well, I hope soon response, best regards,

    Comment by MaryG — Wednesday 19 November 2008 @ 21:21

  104. No, USBVirusScan is a win32 program.

    Comment by Didier Stevens — Wednesday 19 November 2008 @ 21:25

  105. Thanks for a great program. It is a very good tool. I have it set-up like Kelly Whitaker, with it launching as a user logs in and then whenever portable media is inserted it scans and creates a log. I have question about detection. I am using McAfee 8.5i and USBVirusscan creates a log for me that is appended at the end but, do I need to review this log after every scan or will McAfee give me a pop up with the detection and action taken if something is found? I have been trying to get the log to display after it scans a device by editing my startUSBVirusScan.bat currently:
    “c:\Program Files\USBVirusScan\USBVirusScan.exe” -ce
    “c:\Program Files\McAfee\VirusScan Enterprise\csscan.exe” /secure /quiet /log “c:\Program Files\USBVirusScan\USBvirusScanlog.txt” %%c:
    start iexplore “C:\Program Files\USBVirusScan\USBvirusScanlog.txt”
    cls
    It works fine from a command line but, does everything but display the log when a USB is inserted. Any help appreciated.
    Thanks

    Comment by Rob Hoag — Tuesday 9 December 2008 @ 21:41

  106. You should make 2 bat files. One to start USBVirusScan, for example at logon time. And a second one to execute when a USB stick is inserted. My examples assume the bat files are stored in the root directory, you’ll have to adapt that to your liking.

    startUSBVirusScan.bat:
    “c:\Program Files\USBVirusScan\USBVirusScan.exe” -ce c:\scanusb.bat %%c:

    scanusb.bat:
    “c:\Program Files\McAfee\VirusScan Enterprise\csscan.exe” /secure /quiet /log “c:\Program Files\USBVirusScan\USBvirusScanlog.txt” %1
    notepad “C:\Program Files\USBVirusScan\USBvirusScanlog.txt”
    cls

    And you won’t get pop-ups alerting you for a detected virus, because this is an on-demand-scan.

    Comment by Didier Stevens — Wednesday 10 December 2008 @ 21:15

  107. [...] Martin, Schau Dir einmal dieses Tool an >>> http://blog.didierstevens.com/programs/usbvirusscan/ Es heisst USBVirusScan weil der Autor die Sticks scannen lassen wollte… In Wirklichkeit [...]

    Pingback by ereignisgesteuerte Synchronisierung von Ordnern - PC-WELT - FORUM — Sunday 14 December 2008 @ 2:04

  108. Hi,

    Nice way, I got my own recipe using Portable ClamAV + Windows batch + Autorun.inf. Check it out here:

    http://extremesecurity.blogspot.com/2008/06/usb-dongle-auto-malwares-scanning-with.html

    Cheers ;]

    Comment by Aa'ed Alqarta — Sunday 14 December 2008 @ 16:35

  109. [...] Scaricare UsbVirusScan dal suo sito ufficiale [...]

    Pingback by Guide : Guide e applicazioni Web — Wednesday 17 December 2008 @ 19:21

  110. [...] I need command line scaner to use this http://blog.didierstevens.com/programs/usbvirusscan/. 2. Why u prefer 3rd party tools in place of free Microsoft Windows defender + real time [...]

    Pingback by i need a Good free security combination - Raymond.CC Forum — Friday 2 January 2009 @ 7:47

  111. Hello there! It’s really useful program, but every time when it starts scan only C: :( Where is the mistake?

    USBVirusScan.exe -s -c “C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe” /GUIMODE=2 /PATH= “F:\”

    …and -c is not working.
    Thank u in advance :)

    Comment by Porter — Wednesday 14 January 2009 @ 22:28

  112. What happens when you type

    “C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe” /GUIMODE=2 /PATH= “F:\”

    directly in the command line? Does F: get scanned or C:? If it’s C:, then this means your Avira /PATH command is wrong. Is the space necessary?

    Comment by Didier Stevens — Thursday 15 January 2009 @ 9:44

  113. These are examples from Avira’s support site:
    C:\Program Files\Avira\AntiVir …\avscan.exe /CFG=”C:\Program Files\Avira\AntiVir …\scan.avp”
    C:\Program Files\Avira\AntiVir …\avscan.exe /PATH=”%WINDIR%”
    C:\Program Files\Avira\AntiVir …\avscan.exe /PATH=”C:\Downloads\”
    C:\Program Files\Avira\AntiVir …\avscan.exe /PATH=”C:\Downloads\%1″
    This is the last line I’ve used:
    USBVirusScan.exe -s -c “C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe” /GUIMODE=2 /PATH=“G:\”
    I’ve tryied many combinations, but it doesn’t matter what is after /PATH= … it scans C:\windows and later C:\documents…
    Most probably the fault isn’t in your program, but this make me angry :(
    Thank you for your time

    Comment by Porter — Thursday 15 January 2009 @ 18:09

  114. Finaly – it’s working with AVIRA FREE Personal edition:)
    But I follow one other instructions on Avira’s support site (http://www.avira.com/en/support/faq/details.html?id=229) and I’ve downloaded filescan.avp file.
    And then – voila:
    USBVirusScan.exe -s -c “C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe” /GUIMODE=2 /CFG=”C:\Program Files\Avira\AntiVir PersonalEdition Classic\filescan.avp” /PATH=”g:\”
    Thank you again :)

    Comment by Porter — Thursday 15 January 2009 @ 18:22

  115. [...] Algunos antivirus tienen la opción para escanear todos los dispositivos que conectemos al equipo, si el nuestro no lo tiene, tenemos que usar el programa USBVirusScan. [...]

    Pingback by Te Ayudo- Proteger/limpiar de virus nuestro mp3, iPod, Disco USB, cámara. — Sunday 25 January 2009 @ 21:07

  116. How do I get it to work in symantec end point protection.

    Thank u

    Comment by alan — Sunday 8 February 2009 @ 21:12

  117. For end point protection? Doesn’t it scan USB drives?

    Comment by Didier Stevens — Thursday 12 February 2009 @ 15:40

  118. Hi Again

    I’m trying to edit the Start batch file to run with Symantec AntiVirus endpoint protection. I need the command for that.

    Thank u

    Comment by alan — Sunday 15 February 2009 @ 19:00

  119. Hey Didier,

    Funny that Alan just asked you about Endpoint… I’m attempting to use your solution with it as well. I’ve pretty much given up on Endpoint and gone back to AV 10. I’ve been all over Symantec’s boards attempting to find a way of getting it to work with USBVirusScan, but haven’t found any solutions yet. I would love if you were able to find something I missed.

    As for Endpoint scanning USB drives, the answer is yes and no. Endpoint relies exclusively on ActiveThreat detection, and therefore is only paying attention to executions from the drives. You can use the Right-Click context menu to manually scan a drive in its entirety, but there’s no flag within the application to automatically conduct a full file scan of a particular drive upon insertion. They say they’ll look into adding this to a subsequent version.

    Thanks for all your work on this.

    -Tim

    Comment by Tim — Wednesday 18 February 2009 @ 1:52

  120. @Tim: thanks for the feedback.

    @Alan: apparently Symantec AntiVirus endpoint protection has no command-line to scan a drive.

    Comment by Didier Stevens — Friday 20 February 2009 @ 8:29

  121. [...] Scaricare UsbVirusScan dal suo sito ufficiale 2. Scompattarlo in una qualsiasi cartella 3. Fare click destro e selezionare Modifica sul file [...]

    Pingback by Antivirus e penne USB « Risorse Free online’s Blog — Friday 20 February 2009 @ 11:11

  122. [...] Usb Virus Scan [...]

    Pingback by 10 Usb Flash Drive Freeware Programs | JonnysBlog — Friday 27 February 2009 @ 22:02

  123. Great tool, I have included in my roundup of 10 usb tools here:

    http://www.jonnysblog.com/2009/02/27/10-usb-flash-drive-freeware-programs/

    Cheers :)

    Comment by Jonny — Tuesday 17 March 2009 @ 18:56

  124. [...] Scaricare UsbVirusScan dal suo sito ufficiale [...]

    Pingback by Software-for-you » Blog Archive » Guide — Friday 20 March 2009 @ 9:06

  125. hey there

    will you be adding ‘run as a service’ option pretty soon?

    Thanks

    Comment by raj — Friday 20 March 2009 @ 18:09

  126. Not soon, maybe in a couple of months.

    Comment by Didier Stevens — Friday 20 March 2009 @ 18:19

  127. Thanks for the great app. Its been handy.
    But, can you implant an ignore switch?
    I have few external hard disk plug into my laptop, and i’d wish my anti virus would ignore scanning them.
    lets say, the switch would be:
    Don’t execute commands if X file exist in the plugged in device.

    thanks again

    Comment by Fendi — Tuesday 14 April 2009 @ 10:45

  128. Because it’s easy to do this in a script called by USBVirusScan, I don’t add such a feature to the tool.

    Comment by Didier Stevens — Friday 17 April 2009 @ 22:29

  129. Sorry, I’m very new at this. I’m using avg 8 and copied the script from #103 Nate, but don’t konw if it works or not. Will a GUI come up from my antivirus, or does the command line scanner just scan the usb? If so, is there any confirmation of the scan completion, etc? Here’s my debugger log if it helps…

    [4764] Drive F: inserted.
    [4764] Volume name: MEMORY 8000
    [4764] Serial number: C43166CE
    [4764] Filesystem: FAT32
    [4764] ôc:\Program Files\AVG\AVG8\avgscanx.exeö /EXT=* /SCAN=ö%d:\ö /ARC ô%d:\ö /log c:\log.txt
    [4764] ôc:\Program Files\AVG\AVG8\avgscanx.exeö /EXT=* /SCAN=öF:\ö /ARC ôF:\ö /log c:\log.txt

    Also, will the program start on startup, or is there something I need to do?

    Thanks!

    Comment by Ashley — Thursday 23 April 2009 @ 7:33

  130. Good idea to include the debug. This definitively shows that USBVirusScan is working and is starting AVG.
    Open in file c:\log.txt and look at the report to see if AVG scanned your USB stick.

    No, USBVirusScan will not run on startup, you’ve to include it in one of the many autoruns, for example your startup folder of your startmenu.

    Comment by Didier Stevens — Thursday 23 April 2009 @ 14:25

  131. COnsole WIndow is not closing with -c option please help

    Comment by KAPS — Thursday 30 April 2009 @ 11:27

  132. @KAPS Please provide more details, commands.

    Comment by Didier Stevens — Thursday 30 April 2009 @ 12:25

  133. hi, i am trying to run a .bat file to assign a drive letter to the flash inserted in the computer before it scans for viruses.

    i am using mcafee enterprise 8.5i, it loops the .bat when i type it in commaand line.

    this is how i did it, anything i did wrong?

    “C:\Documents and Settings\user\Desktop\USBVirusScan_V1_7_2\USBVirusScan\USBVirusScan.exe” “usb.bat” “C:\Program Files\McAfee\VirusScan Enterprise\csscan.exe” /secure /log c:\log.txt %%c:

    lemme know please, this is urgent.

    Comment by Clive — Wednesday 6 May 2009 @ 13:30

  134. So you want to execute usb.bat and then csscan? It won’t work the way you did it.
    You have to create a bat file, let’s call is master.bat, that will call usb.bat and then start csscan.
    master.bat has to be passed as argument to USBVirusScan.exe with the drive as parameter, like this (assuming master.bat is in the c:\bin directory):
    USBVirusScan.exe c:\bin\master.bat %%c:

    Comment by Didier Stevens — Wednesday 6 May 2009 @ 15:06

  135. I want to assign a letter O and then scan it for viruses, so it should launch the usb.batthen scan with mcafee.

    this is what i have.

    “usb.bat” %%c: “C:\Program files\mcafee\virusscan enterprise\csscan.exe” /log c:\log.txt %%c:

    what should i change?

    Comment by Clive — Thursday 7 May 2009 @ 7:03

  136. There’s something I don’t get. How can you assign it the letter O? What is the content of usb.bat?

    Comment by Didier Stevens — Thursday 7 May 2009 @ 7:52

  137. usb.bat contains this

    diskpart /s disk.txt

    i run a diskpart script to change drive letter

    the disk.txt looks like this

    select volume 3
    assign letter=o
    exit

    i want it to change the drive letter because we have network dives that take up F:

    when i start the program from the above command line in my previous comment it loops and doesnt scan, please help.

    Comment by Clive — Thursday 7 May 2009 @ 7:58

  138. So the USB stick will always be on drive O:?

    then add the csscan.exe command to usb.bat:
    diskpart /s disk.txt
    C:\Program files\mcafee\virusscan enterprise\csscan.exe /log c:\log.txt O:

    And just call usb.bat:
    “C:\Documents and Settings\user\Desktop\USBVirusScan_V1_7_2\USBVirusScan\USBVirusScan.exe” “usb.bat”

    Comment by Didier Stevens — Thursday 7 May 2009 @ 8:49

  139. im gonna test it soon. ill let you know.

    Comment by Clive — Thursday 7 May 2009 @ 9:30

  140. it works!! shot buddy!

    i got USBVirus scan calling start.bat which looks like this

    @echo off
    if exist F: (usb.bat) ELSE “C:\Program files\mcafee\virusscan enterprise\csscan.exe” /target %o: /log c:\FlashScan.txt

    so that will cancel ucb.bat if the flash is already changed to o:. i changed the command line a bit for the virus scan as you can see, but thanks for your help! appreciatte it buddy.

    Comment by Anonymous — Thursday 7 May 2009 @ 9:54

  141. Hi again, i get the program to work if i start it myself in windows.

    but when i start it at startup, via registry, gpedit.msc’s startup script function or even the startup folder it does not work, it shows up in task manager as i used the -i command, when i kill it in taskmanager and restart it from the same file which is startup.bat it works.

    why does it not work on startup?
    i need help please guy, i know im prob irritating but i need to get this right.

    how would you start it at startup?

    Comment by clive — Thursday 7 May 2009 @ 13:06

  142. It’s probably an issue with the current directory being different between a manual start and an automatic start. Maybe you need to provide an absolute path to the bat file.

    So instead of

    “C:\Documents and Settings\user\Desktop\USBVirusScan_V1_7_2\USBVirusScan\USBVirusScan.exe” “start.bat”

    do

    “C:\Documents and Settings\user\Desktop\USBVirusScan_V1_7_2\USBVirusScan\USBVirusScan.exe” “C:\Documents and Settings\user\Desktop\USBVirusScan_V1_7_2\USBVirusScan\start.bat”

    Assuming start.bat is in the same folder as USBVirusScan.exe

    Another option is to use the Scheduler to schedule a task to run at logon. With the scheduler, you can provide a working directory.

    Comment by Didier Stevens — Thursday 7 May 2009 @ 13:12

  143. ok thanks, dam im missing the simple stuff.

    one last thing, im starting the .exe from a .bat, how do i hide the cmd window it stays open. it contains this.

    “C:\USBVirusScan\USBVirusScan.exe” -c -e -s “C:\USBVirusScan\start.bat” %%c:

    i added the absolute path. thanks.

    when i open the startup.bat it leaves a cmd window open

    Comment by clive — Thursday 7 May 2009 @ 13:21

  144. Use the Task Scheduler and give it your command directly (i.e. with arguments):
    “C:\USBVirusScan\USBVirusScan.exe” -c -e -s “C:\USBVirusScan\start.bat” %%c:

    This way, no cmd.exe will be started to run the .bat file.

    Comment by Didier Stevens — Thursday 7 May 2009 @ 13:30

  145. yeah i did that now, thanks dude, you will go far, im suprised you havnt thought of selling this to someone, you will make millions. dude copyright it as soon as possible. you can make money off it.

    thanks a million for your help.
    i’ll definitely tell people about your site ;-)

    Comment by clive — Thursday 7 May 2009 @ 13:38

  146. Is it anyway possible to avoid access to the removable drive or memory stick until the virusscan is completely finished? So whenever someone inserts a usb stick it should not popup in explorer until the virusscan is completed and if the stick is contaminated with a virus it should immediately disappear when the virusscanner fails to remove it (so not be accessible). Is this possible?

    Comment by Geert — Monday 1 June 2009 @ 17:59

  147. No, not with the techniques used by USBVirusScan (USBVirusScan doesn’t require instalaltion and also works for restricted user accounts). One way to do this would be to develop a specific mini filter, like my ARIAD tool: http://blog.didierstevens.com/programs/ariad/

    Comment by Didier Stevens — Tuesday 2 June 2009 @ 8:37

  148. Hi Didier!

    I was able to make USBVirusScan v1.7.2 prompt whenever an USB is inserted however, no scanning happens. I am using an ESET NOD32 Business Edition. what seems to be the problem?

    Below are the contents of my start.bat:
    USBVirusScan.exe “C:\Program Files\ESET\ESET NOD32 Antivirus\ecls.exe” /action=clean %%c: /secure /quiet /log c:\log.txt

    When I insert an USB, it’s always drive F:

    Hope you could help me on this. Thanks!

    Comment by macwlm — Friday 28 August 2009 @ 7:51

  149. @macwlm

    I suggest you use the debug option to see what the exact commands are issued by USBVirusScan. I explained in comment 97 how to do this.

    Comment by Didier Stevens — Friday 28 August 2009 @ 11:23

  150. Didier Stevens, Is it not possible to work with Symantec Endpoint Protection? Please suggest !!! Thanks.

    Comment by Harikrishnan — Tuesday 13 October 2009 @ 15:32

  151. It probably is possible, but I’m not familiar with SEP’s command-line.
    How do you perform a scan from the command line?

    Comment by Didier Stevens — Tuesday 13 October 2009 @ 16:40

  152. [...] : Equivalents Windows : USBDumper et USBVirusScan (Merci [...]

    Pingback by Danger pour les clés usb | Time0ut — Wednesday 14 October 2009 @ 7:55

  153. I could not get the program running under task manager.
    Instead, I’ve used visual basic.
    — startusb.cmd —
    @echo off
    c:
    cd\
    cscript C:\USBVirusScan\startusb.vbs
    ——————–

    — startusb.vbs —
    Set WshShell = WScript.CreateObject(“WScript.Shell”)
    obj = WshShell.Run(“C:\USBVirusScan\USBVirusScan.exe -ce C:\USBVirusScan\scanUSB.cmd clean %%c:”, 0)
    set WshShell = Nothing
    ——————–

    Use startusb.cmd in startup folder, or GPO.

    Comment by EvylRat — Tuesday 20 October 2009 @ 10:02

  154. Spoke too soon, does not work :(

    Comment by EvylRat — Tuesday 20 October 2009 @ 10:25

  155. Dear Didier Stevens.
    Could you please put in public domain(or send me by email) your first version of this tool. Since the directory listing is denied I can’t get it by myself. I just want to look at that sources cause it’s much more easier to investigate someone’s code when you begin with the initial idea(“28/09/2006: Start development” as it stated in the History section in USBVirusScan.c). Thanks in advance!
    PS USBVirusScan is a great candidate to be hosted on sf.net ;)!

    Comment by NA — Tuesday 3 November 2009 @ 18:26

  156. The oldest version in the folder is USBVirusScan_V1_1_0.zip, you can download it.

    Comment by Didier Stevens — Wednesday 4 November 2009 @ 20:41

  157. Didier,

    I am trying to get USBVirusScan to run with Norman Anti-Virus. I am informed that the exe to run from Norman is called Nvcc.exe. So i try the following cmd;
    USBVirusScan “C:\NORMAN\Nvc\Bin\Nvcc.exe”

    Here are the available switches;

    H:\>C:\NORMAN\Nvc\Bin\Nvcc.exe /?

    NORMAN
    Norman Virus Control Version 5.99.02 for WindowsNT/2K/XP Feb 11 2009 10:38:58
    Copyright (c) 1993-2007 Norman ASA

    Available options:

    /-help Show help.
    /? Show help.
    /ALD Scan all local disks (not floppies).
    /AD Scan all disks (not floppies).
    /BS- Ignore system areas (default OFF).
    /BS+ System areas only.
    /B Do not sound alarm when infection found (default OFF).
    /CL: Repair files and boot sectors: /CL:0 no /CL:1 yes,
    /CL:2 also within archives (default in config).
    /CL Repair files and boot sectors. Same as /CL:1 (Default in config).
    /CP Scan compressed program files (default OFF).
    /C: Scan archive files: /C:0 no, /C:1 yes (default in config).
    /C Scan archive files. Same as /C:1 (default in config).
    /FLOPPY Read NSE files from separate floppy..
    /HUM Handle uncertified macros (Needs NSE\NVCMACRO.CRT from CatsClaw).
    /H Show help.
    /LG: Specify number of logfile generations (default number in Config).
    /LF: Specify fully qualified log file name (Overrides /LD: and /LG:).
    /LD: Specify directory for log files (default directory in Config).
    /L: Set logging level: /L:0=no, 1=yes, 2=verbose (Default in Config).
    /N Suppress the default memory scan.
    /O Ignore errors (default OFF).

    Type any key to continue

    /Q Quiet mode. No stdout output (default OFF).
    /R Repeat the scan (default OFF).
    /SB: Use sandbox: /SB:0=Off, /SB:1=On. (Default value in Config).
    /SN Do not allow user aborts (default OFF).
    /S Scan subdirectories (Default when scanning drives).
    /TEMP: Override environments TEMP/TMP.
    /U Do not stop on errors or when infections found (default OFF).
    /V Verbose mode (default OFF).
    /W: Wait a number of milliseconds between each file (default 0).
    /YH Abort when infection found (default OFF).

    Any advise on how we can use your tool to automatically scan USB drives when connected.

    Thanks
    Tom

    Comment by Tom — Thursday 5 November 2009 @ 11:45

  158. I’m missing the syntax to scan a specific drive. Does C:\NORMAN\Nvc\Bin\Nvcc.exe E: scan drive E: (ant no other drive)?

    Comment by Didier Stevens — Thursday 5 November 2009 @ 16:51

  159. I am trying to find out if anyone has successfully launched Microsoft Forefront using USBVirusScan on insertion of a USB Memory stick?
    MSASCui.exe will launch Forefront from the command line but it won’t launch through USBVirusScan regardless of the switches used.
    I’m using this in a batch file:
    cd: “C:\program files\Microsoft Forefront\Client Security\Client\Antimalware”
    START “IE” “c:\program files\USBVirusScan\USBVirusScan.exe” MSASCui.exe %%c:

    I have managed to get Symantec working from a batch file fine using the following syntax for anyone who is struggling with batch files:
    c:
    cd “C:\program files\symantec antivirus”
    START “IE” “C:\Program Files\USBVirusScan\USBVirusScan.exe” -i vpscan.exe /SHOWSCAN %%C:

    Comment by Lauren Tennent — Tuesday 24 November 2009 @ 6:29

  160. @Lauren

    I suggest you use the debug option to see what the exact commands are issued by USBVirusScan. I explained in comment 97 how to do this.

    Comment by Didier Stevens — Wednesday 25 November 2009 @ 10:11

  161. 00000006 140.33766174 [3444] Drive E: inserted.
    00000007 140.33766174 [3444] Volume name: UDISK 2.0
    00000008 140.33766174 [3444] Serial number: 7CCB85CF
    00000009 140.33766174 [3444] Filesystem: FAT
    00000010 140.33772278 [3444] “c:\ProgramFiles\Microsoft Forefront\Client Security\Client\Antimalware\mpcmdrun.exe”
    00000011 140.33821106 [3444] “c:\ProgramFiles\Microsoft Forefront\Client Security\Client\Antimalware\mpcmdrun.exe”

    Comment by Lauren Tennent — Wednesday 25 November 2009 @ 12:41

  162. I don’t understand how mpcmdrun.exe gets started if you don’t reference it in your command (cfr. #161). Did you change your command with which you start USBVirusScan?

    Comment by Didier Stevens — Wednesday 25 November 2009 @ 20:03

  163. Sorry I had run the wrong batch file.
    Here is the log results running the following command:

    c:
    cd “C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware”
    START “IE” “C:\Program Files\USBVirusScan\USBVirusScan.exe” -d mpcmdrun.exe -scan %%c:

    00000000 0.00000000 [3548] Drive E: inserted.
    00000001 0.00000000 [3548] Volume name:
    00000002 0.00000000 [3548] Serial number: 519A3CF1
    00000003 0.00000000 [3548] Filesystem: FAT
    00000004 0.00010996 [3548] mpcmdrun.exe -scan %c:
    00000005 0.00021037 [3548] mpcmdrun.exe -scan E:

    Using the mpcmdrun.exe -scan parameter without launching through usbvirusscan updates the signature files and then launches a full system scan. I wonder if it is failing because Forefront initially runs the signature file update?

    Comment by Lauren Tennent — Wednesday 2 December 2009 @ 7:06

  164. Don’t know. But you see that USBVirusScan starts mpcmdrun.exe -scan E:
    I believe you have to change your bat file like this:
    START “IE” “C:\Program Files\USBVirusScan\USBVirusScan.exe” -d “C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\mpcmdrun.exe” -scan %%c:

    Comment by Didier Stevens — Wednesday 2 December 2009 @ 21:30

  165. For anyone using Symantec products (SAV … not sure about SEP) …

    You can call a scan from the CMD-line of any drive you would like with VPScan.exe (http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2002100907421648).

    I haven’t tried VPScan.exe with Didier’s aforementioned scripts, but have used VPScan.exe in VBS and BAT scripts I wrote and have deployed via Altiris. Works like a champ!! I found that prefacing the Scan (VPScan.exe) with a call to VPDN_LU.exe (Live Update) will bring your SAV client up to their latest / greatest virus defs and allow the VPScan.exe to get all them mean & nasty viruses.

    Comment by Justin Baldwin — Friday 4 December 2009 @ 15:29

  166. Unless Symantec has added new features to their latest versions of Endpoint Protection, then no, calling VPScan.exe will NOT WORK! I spent a week trying to find a way to get SEP to work with USBVirusScan. Hence why in comment #121, my solution was to drop back down to the SAV line of products.

    I would really love it though if someone would prove me wrong on this point!

    Comment by Tim — Friday 4 December 2009 @ 17:46

  167. Great software, bought my granddaughter a netbook for Christmas and put on Kaspersky IS for ultra portables. Unlike it bigger brother KIS 2010 there is no function for auto scanning external drives and cards but this did the trick and doesn’t need any user input. If anyone is using KIS 2009 or earlier here is my batch file :-

    start USBVirusScan.exe -e c:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.com SCAN /REMDRIVES /i3 /fa

    The “start” at the beginning ensures that the CMD window closes after running (someone in an earlier post asked how to do this)
    SCAN – tells avp what to do
    /REMDRIVES – all removable dries and cards
    /i3 – Treat infected objects and if disinfection fails, delete. Delete all compound objects completely if infected parts cannot be deleted.
    /fa – Scan all files

    There are different options, seach KIS help file for scan.com

    Comment by Terry Cullen — Wednesday 9 December 2009 @ 16:08

  168. What is the command line argument when using Blink Antivirus?

    Comment by rmaloney — Friday 19 February 2010 @ 16:22

  169. I don’t know Blink. Search your manual for command line scanning, test it on a file and report the sytax here. Then I’ll see how to integrate it.

    Comment by Didier Stevens — Friday 19 February 2010 @ 16:28

  170. Hi
    This is nice Program but can you explain how use the program to windows7

    Comment by ganesh — Saturday 20 February 2010 @ 20:47

  171. @ganesh Just like on XP and Vista. Have you encountered a problem on 7?

    Comment by Didier Stevens — Saturday 27 February 2010 @ 10:52

  172. I have VirusScan Enterprise 8.7 and this is just what I’ve been looking for. Thank you very much.

    Comment by Jorge Renteria — Wednesday 3 March 2010 @ 20:10

  173. Hello!

    Im having trouble with this. I want USBVS to run vpscan with a ini file. I have the ini file configured to do scans and its been tested, works a treat.

    For some reason vpscan doesnt start running when a pen drive is plugged in, usbvs just sits there and doesnt do anything, as if the vpscan is not being called up.

    My line in the start file is USBVirusScan.exe “c:\Program Files\Symantec AntiVirus\vpscan.exe” /user /ini %d\

    Ive tried all kinds of variations, with and without the /user, with and without the %d\ and with a double %% in front of the D.

    Does anyone know where im going wrong?

    Thanks

    Scott

    Comment by Scott — Friday 19 March 2010 @ 12:14

  174. @Scott I suggest you use the debug option to see what the exact commands are issued by USBVirusScan. I explained in comment 97 how to do this.

    Comment by Didier Stevens — Friday 19 March 2010 @ 14:41

  175. Awesome program. Does just what I want it to. I’m using in conjunction with ejectusb.exe which will prevent the user from utilizing the drive before it is scanned. However, in doing so, I’ve encountered a couple of issues when scanning CDs and DVDs. As such, I’ve added a couple of lines to the scanusb.bat. Here is my text, but the CDs and DVDs are still scanning.

    if “%F%”==”CDFS” goto :EOF
    if “%F%”==”UDF” goto :EOF
    ejectusb.exe %1
    “c:\Progra~1\McAfee\VirusScan Enterprise\csscan.exe” /secure /quiet /log c:\USBvirusScanlog.txt %1
    %SystemRoot%\explorer.exe %1

    :END

    Comment by John — Tuesday 23 March 2010 @ 13:19

  176. @John Great, that’s why I added these variables.

    Comment by Didier Stevens — Tuesday 23 March 2010 @ 22:07

  177. Hi Didier;

    Can you please explain what the Switches “/secure” and “/quit” do?

    Thanks.

    Comment by Gregg — Wednesday 24 March 2010 @ 12:51

  178. @Gregg

    Actually, it’s -scan: -s scan available removable drives when USBVirusScan is started
    The -q switch will stop a running instance of USBVirusScan.

    Comment by Didier Stevens — Wednesday 24 March 2010 @ 14:41

  179. ok, sorry…… I guess I meant OPTIONS “/secure” and “/quit”. They are referred to a few times in this post. Are they not part of USBVirusScan.exe?, or they options for the AV executable?

    Comment by Gregg — Wednesday 24 March 2010 @ 14:54

  180. @Gregg NP. There is no /secure option in USBVirusScan. Only -s (-scan), use it to scan available removable drives when USBVirusScan is started.
    And -q (-quit)will stop a running instance of USBVirusScan.

    If you are refering to comment 24, the /secure /quiet switches are for Symantec’s VPC32.exe, not for USBVirusScan.exe

    Comment by Didier Stevens — Wednesday 24 March 2010 @ 14:59

  181. Hi,

    I’ve been trying to find something like this for a whilst now.

    I wish to automatically share the USB drive when i plug it into the computer using the Drive letter as the share name (i.e i plug the G Drive in, the share name is G_Drive).

    However, i can’t work out how to do it using your system – even using a batch file.

    Comment by Matthew Harrington — Wednesday 24 March 2010 @ 19:54

  182. @Matthew I believe you can do this with the NET SHARE command. Try to get it to work in a .BAT file (without USBVirusScan), and if it works, we’ll add USBVirusScan.

    Comment by Didier Stevens — Wednesday 24 March 2010 @ 21:10

  183. Hi,

    i have set up a batch using netshare, however it doesn’t recignise the %d that i enter.

    Is this something that will happen once we use the usbvirusscan in the line?

    Comment by Matthew — Thursday 25 March 2010 @ 7:51

  184. @Matthew Do you use 2 %-characters in your BAT file, like this %%d ?
    Otherwise cmd.exe will try to interpret %d as a BAT variable.

    Comment by Didier Stevens — Thursday 25 March 2010 @ 20:24

  185. Hi,

    Currently i have:
    USBVirusScan.exe net share “%d_Drive”=%d
    Exit

    Does this mean that i should use:
    USBVirusScan.exe net share “%%d_Drive”=%%d
    Exit

    If so, i shall try this out – should this be the startup command line of the batch.
    (I currently have a startup batch that manages all of the startup items – for example, programs etc..
    One of the current startup commands is:
    START USBVirusScan.exe -i
    Should i use the above with -i in as a startup command instead?).

    Comment by Matthew Harrington — Thursday 25 March 2010 @ 21:07

  186. @Matthew Yes; And if you’re still experiencing problems, I suggest you use the debug option to see what the exact commands are issued by USBVirusScan. I explained in comment 97 how to do this.

    Comment by Didier Stevens — Friday 26 March 2010 @ 20:22

  187. I got a problem with the new Antivir version 10.
    When i start Antivir with this command:
    “C:\Programme\Avira\Antivir Desktop\ avscan.exe” /GUIKODE=2 /Path=”D:\”
    at the end there comes a summary of the scan.
    That is new in version 10.

    Is there a way that there did not come this summary like in version 9?

    Comment by JohnnyB — Tuesday 20 April 2010 @ 6:48

  188. I may have missed it, but did comment number 4 ever get addressed? If there is a command line batch file scan started, how can you keep the user from stopping that scan from finishing? Is there a batch command of some sort to ‘not allow cancellation’? Anybody know this off the top of their heads? Thanks, Roy

    Comment by Roy F — Monday 26 April 2010 @ 14:07

  189. I have been using Avast4 with this line “”C:\Program Files\Alwil Software\Avast4\ashQuick.exe”” >>>>>>>>but with the new version5 it is just not working.
    …even though I have the corredct path eg: C:\Program Files\Alwil Software\Avast5\ashQuick.exe
    Please advise. Great site, thx

    Comment by Frank Peacock — Saturday 1 May 2010 @ 16:22

  190. @Frank Peacock What happens when you manually launch ashQuick.exe from the command line?

    Comment by Didier Stevens — Sunday 2 May 2010 @ 9:55

  191. Oh sorry was waiting for an e-mail response :) nothing happens, but I just had a look on another PC with Avast 4… and the Quick scanner pops up and is working just fine?

    Comment by Frank Peacock — Saturday 8 May 2010 @ 6:06

  192. @Frank Peacock Nothing happens? You should first get it to work manually, then you’ll know how to use it with USBVirusScan

    Comment by Didier Stevens — Saturday 8 May 2010 @ 13:16

  193. Nope, try as I may, it’s just not working! Anybody else have any ideas re version 5, As I am dropping it anyway.

    Comment by Frank Peacock — Saturday 22 May 2010 @ 11:37

  194. [...] soluzione è rappresentata da UsbVirusScan un’utility in grado di far partire automaticamente la scansione con l’antivirus [...]

    Pingback by Scansionare automaticamente una pendrive quando viene inserita | manualissimo.it | Il computer accessibile a tutti — Wednesday 28 July 2010 @ 13:38

  195. Hi the program is great. But i have a big question. I need the program after doing a virus scan to share the usb device. Is it possible to make the program perform 2 actions, one after another??

    Comment by bartek — Wednesday 4 August 2010 @ 14:08

  196. @bartek just create a .BAT file that executes 2 actions, adn call this .BAT file with USBVirusScan.

    Comment by Didier Stevens — Wednesday 4 August 2010 @ 15:38

  197. It’s me again. Thank you for the quick reply. I did try this earlier but the .bat file with those 2 actions doesn’t recognize the %%c parameter and I do not know how to pass it.
    I use the command:
    USBVirusScan execute.bat
    and the execute.bat looks like this:
    C:\Program Files\Alwil Software\Avast5\ashQuick.exe %%c: /a /c /i /p=1 /s /t=a –report
    net share share=%%c:\

    And i can’t figure out whats wrong. I would be most gratefull for your help

    Comment by bartek — Wednesday 4 August 2010 @ 16:10

  198. Ok i have already figured it out. Found a solution in yor earlier posts. thanks

    Comment by bartek — Wednesday 4 August 2010 @ 16:38

  199. [...] soluzione è rappresentata da UsbVirusScan un’utility in grado di far partire automaticamente la scansione con l’antivirus [...]

    Pingback by Scansionare automaticamente una pendrive quando viene inserita - Commenta la tecnologia, la telefonia, i software — Sunday 8 August 2010 @ 23:14

  200. For those of you using Microsoft Security Essentials – here’s the command line for the batch file:

    USBVirusScan.exe “c:\Program Files\Microsoft Security Essentials\MpCmdRun.exe” Scan -Scantype [value] -Privileges restricted /target %c: /secure /quiet /log c:\log.txt

    It was a real pain getting MSE to work from command line but the argument above works automatically – it does not bring up a user interface but if you monitor event viewer under Windows Logs\System you will see the event info. The [value] argument is specific to the MpCmdrun.exe syntax and relates to whether you specify a Default values scan (0), Quick scan (1) or Full scan (2). I’ve chosen a Full scan with all locations (other than the USB device drive letter) excluded in the actual MSE interface…so my syntax looks like this:

    USBVirusScan.exe “c:\Program Files\Microsoft Security Essentials\MpCmdRun.exe” Scan -Scantype 2 -Privileges restricted /target %c: /secure /quiet /log c:\log.txt

    So even though I’ve specified a full scan it only scans the USB device because MSE has excluded other locations

    Hope this helps anyone else out there who struggled with MSE

    I’m working on adding a line to the batch file that restores the MSE default settings so that it goes back to monitoring the whole system and not just USB devices. Will update this post when I’ve got it working!

    Comment by Moira Barkley — Tuesday 21 September 2010 @ 11:32

  201. Hi,

    Great tool.

    I have a modified McAfee Virusscan enterprise 8.7 command line for those who may be interested.

    USBVirusScan.exe -c “C:\Program Files\McAfee\VirusScan Enterprise\scan32.exe” /secure /quiet /log %%c:\log.txt %%c:

    it drops a log file in the root of the USB drive.

    Keep up the good work.

    Regards

    Gordon

    Comment by Gordon — Friday 22 October 2010 @ 4:31

  202. hello my antivirus directory is C:\Program Files\Microsoft Security Essentials\ please tell me how to full scan automatically when usb plug please write code for me thank you and sorry my english

    Comment by erdinc — Tuesday 9 November 2010 @ 15:37

  203. Hello Didier,

    That is just the tool to automate backup of USB drive automatically when I insert it !
    I am using Cobien Backup which I found very nice and quite powerfull. The only option that is missing is luaching a backup when inserting a USB drive…

    I have a suggestion to make : would it be possible to add an option on the command line like “-v LABEL” that would launch the requested command only if volume with label “LABEL” is insterted ? That would avoid testing it within the bat file itself.

    Just a suggestion though as its already really usefull !
    Thanks.
    JS

    Comment by JS — Sunday 21 November 2010 @ 18:06

  204. @JS Thanks for the suggestion, but I believe this is better handled through scripting. You see, if I add this option, then there will be people who have 2 different sticks for which they want an action, and this will not help them.

    Comment by Didier Stevens — Sunday 21 November 2010 @ 18:17

  205. Thanks for this great application Didier.

    I’m trying to deploy your application in a public libary which will support the usage of usb drives.
    I’m running usbvirusscan from an logon script but the cmd/msdos prompt stays open after the application has been lauched.

    Because of this users can’t logon until they close this cmd window. I see you doing the same in your youtube video.

    Is there a way to start the application and close the cmd window start.bat opens?

    Regards,

    Erik

    Comment by Erik Jongkind — Wednesday 1 December 2010 @ 11:15

  206. not working on windows 7,USBVirusScan notepad.exe %d:\readme.txt always open c:\readme.txt, not the readme.txt of the usb flash that was inserted using USBVirusScan_V1_7_2.zip

    Comment by ocelas — Monday 20 December 2010 @ 21:47

  207. @ocelas It does work on Windows 7 (32 and 64 bit). But I can guess what you’re doing wrong. Are you doing this with a bat file? % is a special character in bat files and must be escaped, like this:
    USBVirusScan notepad.exe %%d:\readme.txt

    Comment by Didier Stevens — Tuesday 21 December 2010 @ 7:49

  208. Hello, i’ve got a problem in running Avira premium security suite: whether with the filescan-script nor the paramaters listet in 112 ff. above ist works. My last start.bat was:
    USBVirusScan.exe -s -c “C:\Programme\Avira\AntiVir Desktop\avscan.exe” /CFG=”C:\Programme\Avira\AntiVir Desktop\filescan.avp” /PATH=”j:\”
    avscan.exe starts but ends with the hint: invalid parameter, the application will be closed.
    The hotline did assume, that a the c++ code of USBScan has perhaps to be changed.
    The Line “%PROGRAMFILES%\Avira\AntiVir Desktop\avscan.exe” /PATH=”J:\” as Desktop-Application works well. There The USB-Stick J: is well scanned.
    Do you habe any solution for this problem?

    Comment by Suhrborg — Wednesday 29 December 2010 @ 16:22

  209. @Suhrborg Why do you hardcode the drive letter (J:) ? And why don’t you use the /CFG parameter in the Desktop-Application?
    What’s the output of debug mode?

    Comment by Didier Stevens — Wednesday 29 December 2010 @ 17:29

  210. Sorry, don’t worry about my problem, after restarting my PC all worked normally. The Problem, of others with avira in telling the programm which drive should be scanned was, that the german ” is another than the american ” (keyboard), so that in DOS-ASCII-Code the “j:” was turned into öj:ö . In Consequence avira scanned the drive “”.
    Many thanks for the perfect programm!
    Axel Suhrborg

    Comment by Suhrborg — Wednesday 29 December 2010 @ 17:45

  211. i have a multicard reader so, when i connect it to my computer, usbviruscan execute my program on any unit even the “empty” units, so i received many errors from windows. the classic “unit not found” so,

    is there a way on the sintaxis that only execute the program on units with serial number??

    maybe C:\USBVaccine\USBVirusScan.exe -c C:\USBVaccine\USBVaccine.cmd %d: %s><null

    Comment by Ocelas — Tuesday 4 January 2011 @ 16:51

  212. @Ocelas Interesting that’s something I’ll try to reproduce. You could solve your problem with a script or batch file: test if %s is not an empty string, and then launch your command.

    Comment by Didier Stevens — Tuesday 4 January 2011 @ 17:20

  213. [...] : Equivalents Windows : USBDumper et USBVirusScan (Merci Rémy). Categories: Pentest Tags: privacy, ruby, udev, usb Comments (2) [...]

    Pingback by Danger pour les clés usb | Time0ut — Wednesday 19 January 2011 @ 10:16

  214. Great tool man. Could you clarify the following:
    A: Is the ‘secure’ in the line the same as ‘/secure’ in MCAFEE command-line.
    B: What does the ‘quiet’ do ?
    C: Can I add my own action command to it. Am using mcafee and actions like clean, del are available.
    D. How do i close the cmd.exe prompt. I added ‘exit’ but it did not work. I have tried almost all the suggestions you’ve made so far but result is the same.
    Thank you

    Comment by kwame — Monday 21 February 2011 @ 11:46

  215. @kwame To what line with ‘secure’ are you referring? USBVirusScan has no secure option.

    Comment by Didier Stevens — Monday 21 February 2011 @ 12:19

  216. Didier, I was referring to /secure and /quiet in the start.bat file. Are they for mcafee? or they are generic. Please respond to the other issues I raised in my previous post. Thanks

    Comment by kwame — Monday 21 February 2011 @ 14:31

  217. @kwame Yes, /secure and /quiet are McAfee parameters.
    B) suppress progress bar
    C) Yes, must lookup the exact syntax though
    D) Please provide details how you start USBVirusScan and with what arguments

    Comment by Didier Stevens — Monday 21 February 2011 @ 16:19

  218. Thank you very much for the response. I have a batch file startusbscan.bat with this details:

    echo ‘starting usbvirus scan’

    USBVirusScan.exe -e “C:\Program Files\McAfee\VirusScan Enterprise\scan32.exe” /target %%c: /secure /quiet /clean /del /log c:\log.txt

    exit

    I was of the opinion that the ‘exit’ should be able to exit the cmd.exe after USBVIRUSSCAN.EXE has started but it doesn’t. That’s the only issue left. Thank you once again

    Comment by kwame — Tuesday 22 February 2011 @ 8:33

  219. @kwame OK, and how do you start startusbscan.bat ?

    Comment by Didier Stevens — Tuesday 22 February 2011 @ 19:26

  220. I created a shortcut to the startusbscan.bat file and moved to the startup folder.i.e. ‘C:\Documents and Settings\user\Start Menu\Programs\Startup’ It starts alright but unable to close the cmd.exe afterwards.

    Comment by kwame — Tuesday 22 February 2011 @ 20:39

  221. @kwame OK, edit startusbscan.bat. Precede the line starting with USBVirusScan.exe with the word start, like this:
    start USBVirusScan.exe …
    And you can delete the exit, you don’t need it.

    Comment by Didier Stevens — Wednesday 23 February 2011 @ 9:44

  222. Thanks man. It works. I added start and is good.

    Comment by kwame — Wednesday 23 February 2011 @ 19:51

  223. HI..

    Wonderful tool and descriptive videos. But am quite stuck…..

    System Specs

    Am using Windows 7 Professional V 6.1 (Build 7601 SP1)
    Mcafee Virus-Scan+ Anti spy-ware enterprise 8.7i.

    Issue:

    I installed USBVirusScan with Admin rights in mcafee folder. Edited and modified “Start.bat” as below

    TYPE A: USBVirusScan.exe “C:\Program Files\McAfee\VirusScan Enterprise\csscan.exe” /target %%c: /secure /quiet /log c:\log.txt
    TYPE B: USBVirusScan.exe “C:\Program Files\McAfee\VirusScan Enterprise\scan32.exe” /target %%c: /secure /quiet /log C:\log.txt

    When i enter a USB/CD/DVD/Network drive it shows the icon,volume name,drive letter, serial number, File system but i dont see a command prompt as shown in video and no c:\log.txt

    I have another question weather we have to start the bat file manually after every restart or is there any other way to trigger it automatically. I tried to add “start.bat” in startup but didn’t work.

    Please help

    Comment by Sam — Wednesday 13 April 2011 @ 5:49

  224. @Sam What’s the output when you use the debug switch?

    Comment by Didier Stevens — Wednesday 13 April 2011 @ 19:47

  225. @sam.Mcafee requires administrative rights on windows 7 before it can start.In order to this, you should be able to start the start.bat with admin privileges.Please follow the steps below to achieve this;

    A. Edit the start.bat. Provide the absolute path to the USBVirusScan.exe. Let’s assume is in a directory c:\script, then syntax will be:
    start c:\script\USBVirusScan.exe “C:\Program Files\McAfee\VirusScan Enterprise\scan32.exe” /target %%c: /secure /quiet /log C:\log.txt”
    NOTE:Precede it with ‘start’ like i have done. The start will close the command prompt as soon as the program comes up else you have to close it manually.

    B.Create a task schedular
    1. Open the Start Menu, then type taskschd.msc in the search line and press enter.
    NOTE: This will open Task Scheduler. This file is located at:
    C:\Windows\system32\taskschd.msc.
    2.While having Task Scheduler Library selected in the left pane, click on Create task in the far right pane.
    3.Under the General tab, type in the “Name” of the program you want to create this shortcut for.
    NOTE: This will be the name of the task. As an example, I will use ‘startusbvirusscan’ for that program. Make note of this name, you will need it
    4. Under General tab,Check ‘Run with highest privileges’
    5. Under the Trigger tab, click New. Select onlogon from the drop down next to ‘begin a task’.The default is ‘any user’. Click on.
    6. Click on the Actions tab, then on the New button
    7.Under “Action”, select Start a program and click on the Browse button. Note: You are to locate the start.bat file. Assuming is in the directory called scripts on the c:\scripts
    Click OK

    8.Click on the Conditions tab, and uncheck the Stop if the computer switches to battery power box first, then uncheck the Start the task only if the computer is on AC power box. (See screenshots below)
    NOTE: This step is mostly for laptops, so that you will be able to run the program when the laptop is running on battery power.
    9.Click OK
    10.You will now see your new task created with the name (i.e.: startusbvirusscan) you gave it in step 3. Close Task Schedular
    11. Create a shortcut
    Right click on the desktop, select new,shoutcut and type this in ‘schtasks /run /tn the_you_gave_in_step_3 in my case startusbviruscan.
    This will start the program at logon. You don’t need to put in the startup folder.

    Good luck

    Comment by kwame From Ghana — Thursday 14 April 2011 @ 9:25

  226. hello
    I tried to use your program with avira and after much patience and experience I have found that the right way to recognize this, is PATH=”%%d:\”
    I hope this helps :)

    Comment by Claudio — Sunday 22 May 2011 @ 20:50

  227. Hi everyone,

    I am using “MS Forefront endpoint protection” in combination with “USBVirusScan” i tried all sorts of commands but i cant get it to work.

    Location USBVirusScan: C:\usbvirusscan\usbvirusscan.exe
    Code: START “IE” “C:\USBVirusScan\USBVirusScan.exe” -d “C:\Program Files\Microsoft Security Client\AntiMalware\MpCmdRun.exe” -scan %%c:

    Debugview:

    [1320] [KiesTrayAgent]Pre-Device Connected : 7, Device Connected : 8, Hubs Connected: 1
    [1320] [KiesTrayAgent]Pre-Device Connected : 8, Device Connected : 8, Hubs Connected: 1
    [1320] [KiesTrayAgent]Pre-Device Connected : 8, Device Connected : 8, Hubs Connected: 1
    [3624] Drive G: inserted.
    [3624] Volume name: Wesley
    [3624] Serial number: B286F90A
    [3624] Filesystem: NTFS
    [3624] “C:\Program Files\Microsoft Security Client\AntiMalware\MpCmdRun.exe” -scan %c:
    [3624] “C:\Program Files\Microsoft Security Client\AntiMalware\MpCmdRun.exe” -scan G:
    [1320] [KiesTrayAgent]Pre-Device Connected : 8, Device Connected : 8, Hubs Connected: 1

    I was hoping someone can help me out, what am i doing wrong?

    Thanks in advance,

    Wesley

    Comment by Wesley — Wednesday 21 September 2011 @ 7:13

  228. Has anyone figured this out yet?

    Thanks in advance,

    Wesley

    Comment by Wesley — Tuesday 27 September 2011 @ 9:29

  229. Hi, I’ve been trying to get USBvirsuscan work with avast 6, I tested the solutions provided here, but unfortunately none worked for me. I figured out the command line works, but when I try to use it with USBvirusscan it just doesn’t;
    Using the foillowing command line:

    ashquick.exe v:\ /action:chest

    it perform the scan giveng a report, but the following doesn’t:

    Usbvisrusscan “C:\program files\avast\ashquick.exe” %d: /action:chest

    I’ll appreciate any help you guys may give to me.

    Thank you

    Comment by Kurt — Wednesday 5 October 2011 @ 11:20

  230. @Kurt What doesn’t work? Does the scan run but you don’t get a report, or doesn’t the scan run? You can check with the debug option, look in previous comments about this debug option.

    Comment by Didier Stevens — Wednesday 5 October 2011 @ 11:26

  231. Hello Didier,

    I have the same problem: reply 229. The command line works but i don’t get a report, also i cant see if the scan is running.

    Comment by Wesley de Roode — Wednesday 5 October 2011 @ 11:36

  232. @Wesley What is the debug output? If you don’t know how to get it, it’s explained in the post.

    Comment by Didier Stevens — Wednesday 5 October 2011 @ 11:38

  233. This is what i get with debugview:

    Debugview:

    [1320] [KiesTrayAgent]Pre-Device Connected : 7, Device Connected : 8, Hubs Connected: 1
    [1320] [KiesTrayAgent]Pre-Device Connected : 8, Device Connected : 8, Hubs Connected: 1
    [1320] [KiesTrayAgent]Pre-Device Connected : 8, Device Connected : 8, Hubs Connected: 1
    [3624] Drive G: inserted.
    [3624] Volume name: Wesley
    [3624] Serial number: B286F90A
    [3624] Filesystem: NTFS
    [3624] “C:\Program Files\Microsoft Security Client\AntiMalware\MpCmdRun.exe” -scan %c:
    [3624] “C:\Program Files\Microsoft Security Client\AntiMalware\MpCmdRun.exe” -scan G:
    [1320] [KiesTrayAgent]Pre-Device Connected : 8, Device Connected : 8, Hubs Connected: 1

    I’m using:

    Location USBVirusScan: C:\usbvirusscan\usbvirusscan.exe

    Code: START “IE” “C:\USBVirusScan\USBVirusScan.exe” -d “C:\Program Files\Microsoft Security Client\AntiMalware\MpCmdRun.exe” -scan %%c:

    Comment by Wesley de Roode — Wednesday 5 October 2011 @ 11:58

  234. @Wesley This shows that USBVirusScan is properly configured and executes the following command when you insert a G: drive:

    “C:\Program Files\Microsoft Security Client\AntiMalware\MpCmdRun.exe” -scan G:

    If this command doesn’t do what you want, try it from a command line and tweak it until you get the result that you want. Then update the arguments to USBVirusScan.

    Comment by Didier Stevens — Wednesday 5 October 2011 @ 12:10

  235. Hello Didier,

    it does not perform the scan. I’ll try the debug option and I’ll let you know.
    thank you

    Comment by Kurt — Wednesday 5 October 2011 @ 19:14

  236. @Kurt Make sure you download the new version I just posted (1.7.3). It generates extra debug info about the launching of the program. If launching your scanner fails, it will include the error message from the Windows API.

    Comment by Didier Stevens — Wednesday 5 October 2011 @ 19:18

  237. Hello Didier,

    While performing some debug tests, I did a few experiments and it turned out that avast’s ashquick.exe did not accept %d: as a placeholder, but it had to be corrected into %%d:\. That way it worked just fine.

    Here are debug messages using %d:

    [1348] ***OnDeviceChange entered
    [5104] Drive V: inserted.
    [5104] Volume name:
    [5104] Serial number: 84DCA30F
    [5104] Filesystem: FAT32
    [5104] “D:\AVAST Software\Avast\ashquick.exe”
    [5104] “D:\AVAST Software\Avast\ashquick.exe”

    And using %%d:\

    [1348] ***OnDeviceChange entered
    [5776] Drive V: inserted.
    [5776] Volume name:
    [5776] Serial number: 84DCA30F
    [5776] Filesystem: FAT32
    [5776] “D:\AVAST Software\Avast\ashquick.exe” %d:\
    [5776] “D:\AVAST Software\Avast\ashquick.exe” V:\

    Besides, if you add “/action:chest” option avast will report the scan and move the virus files into its chest, othewise it will launch a pop-up warning you that you got a virus, but it won’t report it. Weird I guess.

    Thank you for your support, I hope my findings will be helpful for other users of this very useful program.

    Thank you

    Comment by Kurt — Wednesday 5 October 2011 @ 20:00

  238. @You are probably using a .BAT file. In a .BAT file, you have to escape the %-character: %%.

    Comment by Didier Stevens — Wednesday 5 October 2011 @ 20:11

  239. Is it possible to start two antiviruscanners?

    Comment by Anonymous — Thursday 24 November 2011 @ 8:07

  240. Yes, use a .bat file.

    Comment by Didier Stevens — Thursday 24 November 2011 @ 22:06

  241. Great utility.

    Used it successfully to set up and delete shares on Home Server as a Windows service (which is started automatically at switch-on).

    Now I switch on my connected external usb hard drive and the shares are set up; switch off and the shares are deleted.

    Exactly what I wanted to do.

    Thanks a million!

    Comment by Keggs — Sunday 27 November 2011 @ 18:28

  242. Awesome little software and it’s open source too. I’m running USBVirusScan as Windows service using WinServ windows service wrapper to trigger Free Avira command line virus scanner utility, …

    Comment by Sindhu Kurnia — Sunday 11 December 2011 @ 8:07

  243. [...] Download USBVirusScan | USBVirusScan Website [...]

    Pingback by SoQ » Blog Archive » Automatic Scan for Virus When Plug in USB Flash Drive — Sunday 15 January 2012 @ 17:44

  244. Hi I’m having problem using the %d option… I’m trying to use this so that it will run as part of a login script and will detect if a user has a specific file in the usb or not. One of the system I’m testing is a Windows 7 laptop which has a empty DVD drive (D:) which the system recognizes as a device with removable storage.

    In the login script, I have it calling your program as “%path%\USBVirusscan.exe -i -s %path%\testcmd.bat %d”

    Testcmd.bat basically checks to see if a specific file exist in the usbdrive so I have it as
    if exist %1:\file.txt goto end

    But what ends up happening all the time is %1 is always D: no matter if I plug in 2 new usb flash drives that have different drive letters. So it never checks the usb flash drives I connect

    Also, %v doesn’t work either… I basically add it as a second parameter ie. testcomd.bat %d %v
    but when I echo the values of %2 parameter (which is suppose to be %v), it is blank – again most likely since it’s trying to pull volume from the emtyp dvd drive?

    Any help would be greatly appreciated.

    Comment by Anonymous — Friday 10 February 2012 @ 16:42

  245. @Anonymous Take a close look at the start.bat file I include, it contains the answer to your problem. % is a reserved character in BAT files, you need to use %% in .BAT files to represent %.

    Comment by Didier Stevens — Friday 10 February 2012 @ 16:57

  246. Thanks for that tip.. that %% fixed my problem… however I noticed another problem with Cell Phone connected to PC as usb storage..

    1) Blackberry (bold and torch) throws a windows error titled “Windows – No Disk” and details “Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c” with options CANCEL, TRY AGAIN, CONTINUE.

    2) Plugging in a Samsung Android Phone, it doesn’t even recognize it at all as a USB storage and doesn’t execute any command.

    Any thoughts/comments?

    Thanks so much for your time and help!

    Comment by Alvin — Friday 10 February 2012 @ 20:59

  247. @Alvin Do these phones get assigned a drive letter?

    Comment by Didier Stevens — Friday 10 February 2012 @ 21:38

  248. The blackberries do end up getting a drive letter after getting the error message and after you enter the password to enter storage mode.

    For the Samsung Android phone, it doesn’t get a drive letter but you can browse the folders and copy/paste files to it.

    Thanks.

    Comment by Alvin — Friday 10 February 2012 @ 22:41

  249. @Alvin Can you confirm that this error message comes from USBVirusScan? You can check this with Process Explorer.

    Comment by Didier Stevens — Saturday 11 February 2012 @ 9:56

  250. @Didier How do i check this with Process Explorer? I’ve downloaded it and have it running while I generate the error by plugging in my blackberry. But how do I know where the error message is coming from?

    Comment by Alvin — Tuesday 28 February 2012 @ 16:52

  251. @Didier one more thing I noticed, when I plug in a blackberry, the blackberry will prompt me to enter my password to enter into Mass storage mode while the computer generates the error message. I noticed that once I enter my PIN on the blackberry and it goes to Mass Storage Mode, if I click on RETRY on the Error message it works. If I do not enter my PIN and leave the blackberry asking for PIN to enter Mass Storage Mode, my only option on the error message is to click on CANCEL or CONTINUE until the message goes away (and the number of times I need to click on this button depends on the number of commands in my batch file that tries to access the usb flash drive to see if a file exist). Based on this, it looks like the error message is related to the fact that blackberry doesn’t allow connection from the PC yet until it goes into MASS STORAGE mode (which requires my PIN). Still not sure who is generating the error message though – whether its USBVirusScan or something else.

    Comment by Alvin — Tuesday 28 February 2012 @ 17:11

  252. @Alvin On Process Explorer’s toolbar there a button called “Find Window’s Process’. You click it, drag to the error window, then release the button.
    PE will highlight the process associated with this Window.

    Comment by Didier Stevens — Tuesday 28 February 2012 @ 17:32

  253. @Didier It’s highlighting CSRSS.EXE

    Comment by Alvin — Tuesday 28 February 2012 @ 19:37

  254. hola Didier, me puedes ayudar requiero utilizar tu aplicación para activar automáticamente H:\myPortablePIM\myPP.exe no entiendo que comando debo aplicar y donde debo aplicar. y por cierto donde debo copiar la carpeta que contiene el usbvirusscan, pues yo requiero que la agenda virtual se abra cada vez que conecto la memoria usb. gracias por tu ayuda te estare muy agradecido att. marco o

    Comment by marco orozco — Tuesday 1 May 2012 @ 15:04

  255. @marco Hola Marco. Lo siento. No hablo Espanol.

    Comment by Didier Stevens — Tuesday 1 May 2012 @ 19:44

  256. [...] but you do have to have the program on the USB. I haven't used this but maybe it would be useful http://blog.didierstevens.com/programs/usbvirusscan/ __________________ Microsoft PowerPoint MVP Free Advanced PowerPoint Tips and [...]

    Pingback by Auto play .ppt file from USB with selection — Sunday 27 May 2012 @ 18:22

  257. Brilliant tool, thanks for creating it! Just one question: how do I get it to work on a multiple user workstation? Got it working for individual users, but would like to get it running for every user that logs onto the machine. any ideas?
    Cheers!

    Comment by Phil — Thursday 31 May 2012 @ 11:29

  258. @Phil You could put the command in Start Menu/Startup of All Users.

    Comment by Didier Stevens — Thursday 31 May 2012 @ 21:19

  259. This program works well, and I am using it to maintain synch of thumbdrive tools used by workers at several locations. Is there a way to enable the same function on SD and CompactFlash cards?

    Comment by Chris Plumlee — Thursday 7 June 2012 @ 14:26

  260. @Chris How do you connect the cards to the PC, don’t they show up with a drive letter?

    Comment by Didier Stevens — Thursday 7 June 2012 @ 20:19

  261. SD Cards connect to the SD socket integrated directly into my laptop or USB-enabled monitor; they appear as drive letters in Windows 7, but go unnoticed by USBVirusScan. I have not tried CF cards yet; someone borrowed my set — I will let you know what these do tomorrow.

    Comment by Chris Plumlee — Thursday 7 June 2012 @ 22:22

  262. @Chris I’ve had once the opportunity to test these integrated readers. They are always assiged a drive letter, even when no card is inserted, right?

    Simply put, USBVirusScan detects new drive letters, en that’s why it doesn’t detect cards.

    Comment by Didier Stevens — Friday 8 June 2012 @ 5:55

  263. Hi Didier. Is there a way to run this program without popping up in the task bar?

    Comment by Philip — Wednesday 27 June 2012 @ 11:53

  264. @Philip No, there is no option for that, it would require a change to the program. What is your use case?

    Comment by Didier Stevens — Wednesday 27 June 2012 @ 12:06

  265. Well, I’m just concerned that’d users would be worried about the icon, as they do when there’s something new going on. It’d be more of a nice to have rather than a requirement :)

    Comment by Philip — Wednesday 27 June 2012 @ 13:11

  266. @Philip I’ll add it to my todo list.

    Comment by Didier Stevens — Saturday 30 June 2012 @ 19:40

  267. @Philip I didn’t notice before, but in your answer you talk about the icon in stead of the taskbar. If you want to disable the icon, use option -i.

    Comment by Didier Stevens — Tuesday 28 August 2012 @ 16:20

  268. [...] can find this new version here. Like this:LikeBe the first to like this. Leave a [...]

    Pingback by Update: USBVirusScan 1.7.5 « Didier Stevens — Tuesday 28 August 2012 @ 18:57

  269. Great work boss..hats off

    Comment by D S Rathore — Friday 9 November 2012 @ 0:27

  270. For those who have trouble in scanning one usb-device with MS Essential Security, this worked in my case (USB-Directory J:/):

    USBVirusScan.exe -s cmd /k “C:\Programme\Microsoft Security Client\MpCmdRun.exe” -Scan

    -ScanType 3 -file J:\ -Trace -SignatureUpdate -MMPC -Restore -ListAll /secure /quit /log

    E:\USBVirusScan\log

    Comment by Dr. Axel Suhrborg — Friday 16 November 2012 @ 21:49

  271. How to do a virus scan with F-Secure when at USB is inserted?

    Comment by Peter — Wednesday 21 November 2012 @ 18:52

  272. trying to use this with Eset NOD32 version 4 – here are the contents of start.bat
    USBVirusScan.exe -d “C:\Program Files\ESET\ESET NOD32 Antivirus\ecls.exe” /action=clean %%d:
    it recognises the drive but the AV does not run – can you help please

    Comment by Geoff Solomon — Wednesday 24 April 2013 @ 11:31

  273. @Geoff Can you post the debug output?

    Comment by Didier Stevens — Wednesday 24 April 2013 @ 20:33

  274. here is the debug output
    00000001 0.00000000 [5480] [UVS] Drive F: inserted.
    00000002 0.00005228 [5480] [UVS] Serial number: 10C7F516
    00000003 0.00008595 [5480] [UVS] ôC:\Program Files\ESET\ESET NOD32 Antivirus\ecls.exe” /aind /action=clean %d
    00000004 0.00168893 [5480] [UVS] Process creation failed: The system cannot find the file specified.

    Comment by Geoff Solomon — Thursday 25 April 2013 @ 8:13

  275. @Geoff Note that in the third line, there is a strange character before C:\. This causes the process creation to fail. Check your bat file.

    Comment by Didier Stevens — Thursday 25 April 2013 @ 11:06

  276. Hi

    Here is the contents of my start.bat file now – this seems to work perfectly put a shortcut to it in Startup

    start D:\USBVirusScan\USBVirusScan.exe -d -B C:\Program Files\ESET\ESET NOD32 Antivirus\ecls.exe /aind /action=clean %%d:

    Thanks for your help

    Comment by Geoff Solomon — Thursday 25 April 2013 @ 12:45

  277. @Geoff You’re welcome.

    Comment by Didier Stevens — Friday 26 April 2013 @ 12:43

  278. if your using any avast antivirus software with command line executable file then try to paste this one to start.bat file:

    @echo off
    @color 9f
    cls
    @echo off
    cls
    @echo.
    @echo AUTO SCANNER IS NOW ACTIVATED…
    @echo.
    @echo This will scan your pendive everytime you plug-in…
    @echo And will take a few Seconds/ Minutes to finish….
    @echo.
    START USBVirusScan.exe “C:\Program Files\AVAST Software\Avast\ashCmd.exe” [-ce] IF EXIST (/target %%D: ) IF EXIST (/TARGET %%E: ) IF EXIST (/TARGET %%F: ) /p=[31] /secure

    /* this will automatically scan any device inserted on the usb port of your system unit. */

    By: Dymon

    Comment by Anonymous — Monday 6 May 2013 @ 13:54

  279. Hi, I tried to use the USBVirusScan with Sophos antivirus but failed. Could you advise the string to get it working ? Thanks.

    Comment by Ross Lee — Tuesday 26 November 2013 @ 6:16

  280. @Ross What command did you use?

    Comment by Didier Stevens — Tuesday 26 November 2013 @ 20:53

  281. Hi

    I used belowmentioned command in the start.bat file
    start USBVirusScan.exe “C:\Program Files\Sophos\Sophos-Antivirus\sav32cli.exe” /target %d:

    I would like to use the following commands and exceptions that comes with SAV32CLI

    SAV32CLI scanning options

    -extensive [ ] : Scan complete contents of files
    -di [ ] : Disinfect infected items
    -all [ ] : Scan all files
    -rec [ ] : Do recursive scan
    -remove [ ] : Remove infected objects

    One question that I have though, does %d: expression only scans the D drive ? I wish to scan any external drive/usb sticks that was inserted.

    Thank you

    Comment by Ross — Thursday 28 November 2013 @ 3:25

  282. @Ross Yes, %d: represents the drive letter of the USB stick that was inserted, but if you use it in a .BAT file, you have to know that % is a special character for .BAT files.
    So you have to use %%d: inside .BAT files (%% means you want to represent the % character inside .BAT files).

    Comment by Didier Stevens — Thursday 28 November 2013 @ 19:02

  283. Dider,
    This tools is great! I was trying to do a few additional actions though:

    1) Prompt user for email address and to an output text file (already made a bat file for that)
    2) Scan the drive automatically, when drive is inserted (done)
    3) Somehow separate the Mcafee log file, to just the scan that ran and not the whole log file (not sure how to do this)
    4) Combine the output text and individual Mcafee scan, into one log file (already have a bat file for that)
    5) Use sendmail (or the ilk), to send the log file, to a specified email address (already have sendmail working)
    6) Move combined log file to another directory, for retention. Delete text file and log file.

    I’m just stuck on #3, anyone know of a way to individualize the scan logs? I have a custom mcafee scan, that is tailored to removable devices.

    Any help would be highly appreciated!

    Comment by Jason — Thursday 20 February 2014 @ 18:09

  284. @Jason Maybe with finstr (or grep) extract the report from the logfile.

    Comment by Didier Stevens — Friday 21 February 2014 @ 0:09


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 198 other followers

%d bloggers like this: