0

I need to scan the contents of a USB stick with several antivirus software. I have several ways to do this.

Either I mount the key, I scan its contents (I may place the suspicious files in quarantine), I copy the files on the host, I format the key and I copy the files to the key. This solution is super slow and is the worst solution.

I'm thinking more of a solution that mounts the key, copies the files one by one in a sandbox, each new file that arrives (FIFO stack) is scanned (possibly placed in quarantine) and once the whole copy and analysis of the key content is complete, I format the key and copy the healthy files in the other direction. What do you think in terms of security? Do you have another solution in mind?

Thank you for your help

Rig0L
  • 1
  • 1

1 Answers1

0

Assuming that the USB flash drive is in fact just a flash drive:

Do a Physical Image of the device without ever mounting it.

Analyse the Image on an isolated machine or sandbox.

You don't say why you are dong this, but the above method allows analysis of unallocated and slack space that your file copy approach will not.

If this is for more than your own use in an attempt to clean up, such as for legal action, there are additional steps necessary.

       ----------- edit response to comment ---------

"The goal of the operation is to build a usb cleaner station"

Since you are not interested in unallocated space or performing an analysis as stated, but rather a standard virus scan and clean, why do you feel you need to perform a format and repopulate? Most similar systems I've dealt with consist of a standalone workstation with multiple virus scanners that run against the inserted media. Simply deleting, or overwriting if concerned, detected malware is no different than not finding it in unallocated space in the first place.

Note also that formatting and repopulating can create its own problems. It will disable bootable devices. It may also disable DRM files dependent upon time stamps.

Also, there may be multiple file formats. Within plain Windows 10, you may encounter: NTFS, FAT16, FAT32, or exFAT.There may even be multiple partitions.

I'd suggest that any reformatting be punted to the user/owner of the media after providing scan results.

user10216038
  • 7,552
  • 2
  • 16
  • 19
  • Thank you for your response. The goal of the operation is to build a usb cleaner station. So the operation must be as fast as possible. I'm afraid that the physical image of the usb device will take too long for my use. However, what tools do you recommend to do an image analysis? – Rig0L Apr 23 '20 at 18:22
  • I prefer to have only NTFS formatted devices (readable everywhere) and I need to change the label of the usb devices. On some keys I can't change the label without formatting the device. – Rig0L Apr 23 '20 at 20:38
  • @Rig0L - Given your additional parameters, I don't see another approach to the one you stated. I know you described two, but they seem to be the same to me. – user10216038 Apr 23 '20 at 20:44