Didier Stevens

Monday 16 October 2006


Filed under: My Software — Didier Stevens @ 10:09

When Bruce Scheiner blogged about USBDumper, I downloaded the program and filed it for some later experimentation.

During our vacation I started programming on a rainy evening, and USBVirusScan was born.

USBVirusScan will launch any program you provide as a command line parameter each time a USB stick is inserted. I use it to start a full virus scan on the inserted USB drive, hence the name.

For example, to start a cmd.exe on each USB drive you insert, you start USBVirusScan like this:

USBVirusScan cmd /k %c:

%c is a placeholder for the drive-letter of the inserted USB drive (yes, that’s %c like C’s printf function, and no, that’s not completely secure, but feel free to adapt it…).

USBVirusScan uses a system tray icon and balloons to announce the insertion of a USB drive. If you want to hide this system tray icon, start USBVirusScan with option -i, like this:
USBVirusScan -i cmd /k %c:

You can also hide the command line console with option -c. This only works with Console applications, not with Windows applications.

Here’s a Windows Script example (log.vbs) that will create a log.txt file on the inserted USB drive with the current date & time:

Dim objFSO

Dim objTextFile

Dim strFilename
strFilename = Wscript.Arguments.Item(0) & ":\\log.txt"

Set objFSO = CreateObject("Scripting.FileSystemObject")

If objFSO.FileExists(strFilename) Then

   Set objTextFile = objFSO.OpenTextFile(strFilename, 8 )


   Set objTextFile = objFSO.CreateTextFile(strFilename)

End If

objTextFile.WriteLine Now()


You start it with this command: USBVirusScan.exe wscript log.vbs %c

Example of the content of the log file after inserting the USB drive twice:

14/10/2006 17:05:00
14/10/2006 17:05:21

I used sample code for system tray programming from this Code Project article, and for the rest I generate a new GUID and did some cosmetic changes to the original USBDumper code.

Here is a YouTube movie showing you the program starting a virus scan. A hires (XviD) version can be found here.


USBVirusScan_V1_0_0.zip (https)

MD5: 7EC0D456717162B84A229CC4A8335B51

This ZIP file contains both the executable and the source code. If you don’t plan to modify the source code of this program, you’ll only need to extract USBVirusScan.exe.

Compiled with Borland’s free C++ 5.5 compiler. Tested on Windows XP SP2 and Windows Vista.


  1. […] read more | digg story […]

    Pingback by USBVirusScan « Free Utilities Blog — Tuesday 17 October 2006 @ 6:03

  2. […] Homepage – Download USBVirusScan – How To Install USBVirusScan […]

    Pingback by 10 Practical Ways to Prevent USB-Borne Virus Infection — Tuesday 27 May 2008 @ 9:09

  3. Download Link is not working at the moment. I was excited to give this a try.

    Comment by David — Wednesday 28 January 2009 @ 17:16

  4. This is an old version, the latest version can always be found here: https://blog.didierstevens.com/programs/usbvirusscan/

    Comment by Didier Stevens — Wednesday 28 January 2009 @ 17:34

  5. Hi i was just wondering if you have the path and commands for mcafee 8.5i and 8.7i, this works great with 8.0i but we are upgrading.


    Comment by Rick — Wednesday 16 December 2009 @ 16:32

  6. @Rick csscan.exe has the same options, but it’s in C:\Program Files\McAfee\VirusScan Enterprise\ now.

    Comment by Didier Stevens — Wednesday 23 December 2009 @ 12:57

  7. Hello Didier,

    I am @unixfreaxjp/twitter.
    related to this article, I think you should know that, I found the malware using the this software as filename by using another packer/installer with the same installer filename and same binaries inside (hashes were different though)

    The binaries of malwares is changing now, and I am still fighting to get rid off this malware from this web server.

    This is the report (sorry in japanese, using google translation will help to understand)



    Comment by Hendrik ADRIAN — Thursday 26 May 2011 @ 6:06

  8. Hi Didier,
    I was finally able to get it going with ESET but there is a strange problem. If I type the command in a command window to launch it, everything works file.
    However If I make a batch file (which I need to launch at startup), the batchfile scans local drive only. It does not seem to understand the %c: or %d: parameter. Any thoughts? I’m using this and it runs fine when I type it in.

    USBVirusScan.exe -s “C:\Program Files\ESET\ESET NOD32 Antivirus\ecls.exe” /action=clean %c: /log-file=%userprofile%\desktop\USBscan.log /log-all /log-rewrite /aind

    Comment by Sanjeev — Friday 25 October 2013 @ 19:39

  9. @Sanjeev You can find an explanation in the comments of the USBVirusScan page:

    % is a special character in BAT files. So if you want the BAT file to pass %c to USBVirusScan, you need to write %%c.

    Comment by Didier Stevens — Friday 25 October 2013 @ 19:44

  10. Awesome, that extra % worked, but the cmd window stays open (because usbvirusscan is running now). I did go the the discussion but didn’t see this issue.

    Any way of getting around it?

    Comment by Sanjeev — Friday 25 October 2013 @ 20:22

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.