Helping people with computers... one answer at a time.

When using a portable USB flash drive or disk it's important to understand the risk of infection; you may not be as safe as you think.

I put my USB device in many computers, XP, Vista and Win7 on a daily basis. What are some options to protect it from becoming infected and/or transmitting malware from one computer to another?

With the recent rash of malware that travels by infecting removable devices like USB devices, you're right to be concerned.

There are several approaches, but they depend on just what kind of control you have over the various computers you're using.

Internet Safety Begins at Home.

By far the best and most effective way to prevent malware from spreading to your USB device is to keep the machines that you connect it to clean and malware-free in the first place.

For machines that you control, that means the standard techniques:

"If you insert a non-write-protected USB device into a computer that you can't trust, that USB device immediately becomes untrustworthy itself."
  • Use a firewall

  • Keep the operating system and all software up to date

  • Scan for viruses and spyware regularly

  • Be alert and practice safe computing (avoid bad sites, attachments, scams and the like).

If there's no malware on the machine, then there's no malware to infect the device you plug into it, simple as that.

Safety On The Road: Can't Touch This

If you must connect your USB device to computers that you don't control - for example library computers or other public, school or perhaps even business computers, then you must take additional steps.

  • Get a USB device that has a "write protect" switch, and ensure that the device cannot be written to when inserted into a computer that you don't control.

Honestly, I tried to think of additional steps or alternatives, but nothing seems even close to practical.

Suspicion Spreads Like A Virus

If you insert a non-write-protected USB device into a computer that you can't trust, that USB device immediately becomes untrustworthy itself.

You don't know that the untrusted machine isn't infected, and you don't know that the malware didn't just infect your device.

Now, I suppose you could dedicate a machine of your own, isolated from your local network, that you could bring the device back to in order to plug in. You would allow that machine to run the risk of getting infected. Each time after inserting the USB device into that machine you would completely restore that machine from some kind of image.

But even then, to what point? That didn't make whatever data you're attempting to transfer any safer.

The fundamental problem is that any type of file transfer from a computer you can't completely trust to your own opens up the risk of malware transfer.

At a minimum that isolated machine could run malware checks to at least raise your confidence level that you're not bringing back more than you bargained for.

Article C4667 - December 2, 2010 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

20 Comments
Houssam S.Mousa
December 3, 2010 1:12 AM

I use another alternative to Write-Protect my USB Stick or External HDD, I use TrueCrypt container , and either mount as read-only or you can set container's attribute to Read-Only, either way, it is unwritable , but of course this make it just like a write-protected Floppy Disk, you can not write changes.

Unfortunately that TrueCrypt container might be protected, but if it's a normal Truecrypt volume the USB stick itself needs to be inserted and visible to see it. Thus the USB stick outside of the TrueCrypt container could still be vulnerable.
Leo
03-Dec-2010

Mark Jacobs
December 4, 2010 6:36 AM

Doesn't it also help to have autoplay turned off on your computer so any virus that might be on your stick won't automatically run?

It definitely does help, but it's not a 100% solution.
Leo
04-Dec-2010

Oliver Jenner
December 7, 2010 8:32 AM

mmm.....I once picked up spyware on my 'dongle' - annoying that it was locked into a 'bin' file, and even more annoying was the fact that 'dragging' a copy to the desktop allowed instant removal by my antivirus. (no overall harm was leaked onto my system - though for piece of mind I decided to buy an identical one again ('dongle'))

louis
December 7, 2010 8:57 AM

I have been using Panda USB Vaccine for a year or so(successfully). Anybody else have thoughts on this one?

Gustavo
December 7, 2010 9:32 AM

ninja pendisk

Dave Lagesse
December 7, 2010 10:18 AM

There HAS to be many programs out on the Internet that address this problem!
I have seen references to those kind of programs.

One would think, however the mere act of plugging in a USB drive to clean it puts your host system at risk - even before you could run any such tool.
Leo
07-Dec-2010

Ron Hansen
December 7, 2010 11:29 AM

Is there a software for a USB device if it does not have a switch

Bob Stromberg
December 7, 2010 11:49 AM

I've used the Flash Drive Disinfector described at http://www.bleepingcomputer.com/forums/topic357860.html.

I'd love to see some tested results...

The problem is that you have to plug in the USB drive into a computer to disinfect it - which could in turn infect the computer you plugged it into prior to running the cleaning tool.
Leo
07-Dec-2010
Michael Horowitz
December 7, 2010 4:29 PM

I just had a USB flash drive infected after it was inserted into an infected computer. Haven't seen a USB flash drive with a hardware level write protect switch in many years. Anyone have specific makes/models?

NewDimTech
December 7, 2010 6:23 PM

As a bench tech, I use my USB drive on just about every machine that gets to our bench. The only machine I trust is my own. I have a program on it called DFC (Dummy File Creator), and it does just that. After the occasional update of the software I carry, I use DFC to create a dummy file to fill the remaining unused space on the drive. Instant drive protection, if there's no free space, it can't be written on by anything. Not the most elegant solution, but it works.

I like it. (Except for viruses that modify files in place, though. Not sure how prevelant that is in USB-payloads.)
Leo
08-Dec-2010

Steven Lewis
December 7, 2010 6:27 PM

USB infections and download (bittorrent,etc) trojans have been two big disease vectors in our extended family in the last several years.

But since denying auto-run on the windows pcs, the USB-carried infections have died down. That, combined with stressing that everyone scan any usb stick, ipod, camera card, etc, right away whenever they connect it to their pc.

Also, I've impressed on all to be aware that plugging these cards, USBs, etc into "foreign" pcs is always risky. Do it only when absolutely needed.

Together, these practices have worked well enough to make it a non-issue over the last year or so....fingers crossed!

None of our current devices have write protection, nor have I seen it, but I'll certainly look for that feature in the future, thanks.

John L Brown
December 7, 2010 7:25 PM

Leo, what about dedicated USB devices, such as an external hard drive. Are they not subject to the same possible infection, if so, what advice would you offer? True, in my case, the external hard drive is generally on only when I have need of it. Though sometimes, inadvertently, it will run for an extended period of time. Relatedly, should I include it when running my various anti-malware and anti-virus scans?

If you leave it connected to your computer all the time then you should consider it just like any other drive on your computer and make sure your anti-malware software scans it just like the other drives. If you move it from machine to machine then treat it as described in the article: connecting to an untrustworthy machine puts it at disk.
Leo
08-Dec-2010

Ravi Agrawal
December 7, 2010 7:43 PM

Create a folder named autorun.inf on the root of the USB drive. Set its properties to hidden & system & read-only.

This way any infected machine will not be able to create / replace any autorun.inf file on your USB stick thus offering good protection. This approach has always worked for me.

Ravi.

I like this. While it doesn't protect against every possible way a USB device could be infected, it certainly prevents one of the most common ways it propagates to fail.
Leo
08-Dec-2010

Bob Stromberg
December 8, 2010 7:45 AM

In an earlier comment I said I used the Flash Drive Disinfector. Leo's reply: "The problem is that you have to plug in the USB drive into a computer to disinfect it - which could in turn infect the computer you plugged it into prior to running the cleaning tool."

Yes, quite right. I start with a new (or freshly formatted) flash drive, plug it into a trusted system and run the tool. BTW, I tried this with a flash drive that had files on it already, and it didn't seem to work.

This is an excellent article and discussion. Thank you!

Glenn P.
December 14, 2010 10:53 AM

FYI: The type of "dummy" files that NewDimTech refers to, have a specific name: "ballast files", because just like real ballast used on board ships, they are junk, intended only to take up space (and also weight in the case of an actual ship or sub) and to be dumped overboard just as soon as their temporary, space-hogging purpose has been served.

Ron N.
December 15, 2010 8:26 AM

Just put a SD card into a USB adapter. SD cards all have a lock-out slide on them. The Rosewill adapters can be found at newegg for about $7.00. I use these for my bootable Linux distros too.

We techs plug out devices into heavily infected computers every day. Never any problem.

Also, there is a flash drive made by Kangeroo that has a locking slide on it. You can probably find it at newegg.
Packrat1947

Ronald Nosack
December 15, 2010 9:12 AM

Here's the name of a good lockable drive. Kanguru Flashblu II™
You can see this a Kanguru's website. It is 12 bucks.

PQI also make one, but it is very slow. I own one, but rarely use it. Also, the lock switch is buried in a little hole. I put mine in a milling machine and opened up the plastic. Now I don't need a pencil to access the switch. This was designed by people who never used it in the real world.

Personally, I just use the SD cards in a Rosewill adapter. This adapter is compliant with the 4 gig plus SDHCs. Using this adapter allows SDHC drives to be seen in older computers, so it solves multiple problems. Case in point. Recently, one of my customers returned from a vacation and could not bring up the pictures on their laptop. They thought that everything was deleted somehow. Anyhow, once the SD was plugged into the Rosewill, the pictures were seen, and then copied off.

Packrat1947

JMJM
December 21, 2010 11:45 AM

I also use Panda USB Vaccine successfully. This can both protect your computer from being infected by a compromised USB device and also "vaccinate" a USB device against infection - double protection.

Also, "USB device" is not just a flash drive. I know of a case where a computer was infected by an infected digital camera.

Camera, video camera, mp3 player - anything that "looks like" a disk drive to Windows when plugged in.
Leo
22-Dec-2010

Carequinha Cabeludo
December 28, 2010 9:53 AM

Use USB Vaccine from Panda ( http://www.pandasecurity.com/homeusers/downloads/usbvaccine/ ), it creates an untouchable 'autorun.inf' file on your usb device, that viruses can't modify it to spread their infection. It works wonderfully!

Viv
January 11, 2011 11:49 AM

Even though this article is about prevention, there are some precautionary measures one can take when in doubt:

Press and hold the 'Shift' key when inserting a USB device. This will prevent the autorun feature even if it isn't already disabled via group policy and Registry Editor or other software.

And instead of double clicking / right clicking your way into the device in 'Computer', type the path (for eg. "G:\") without the quotes in the address bar and press enter. And if you are comfortable with Windows, you can manually delete suspicious files like autorun.inf, *.exe, *.scr, *.vbs etc. if present in the device and you are sure it shouldn't be there. To be thorough you may also want to enable the "Show Hidden Files" option and disable the "Hide file extensions" and "Hide protected OS files" options under the "Folder Options".

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.