Embed Size (px)
Citation preview
MCShield is an antimalware tool designed to prevent infections transmitted via removable
drives (USB flash drives, memory cards (cameras, phones, GPS devices…), external hard
drives).
Program features:
detection of newly connected drives and automatic scanning;
automatic removal mode which makes use of this software possible to everyone regardless of their
operating system and malware related knowledge;
interactive mode for advanced users who desire more control over the scan process;
ultra fast scanning of root and certain special folders on the hard drives and adaptive scanning of removable
drives;
on demand drive scanning;
advanced general and infection specific heuristics;
automatic database and program updates;
completely negligible impact on system performance;
optimal functionality without any additional settings;
possibility to modify the programs behavior according to specific user’s needs;
various color schemes for the user interface;
creation of backup copies of everything that program detects and deletes;
display of real-time global statistics and news;
localization (18 languages at the moment);
and more…
The largest part of MCShield’s detections is based on generic routines designed for detection of certain prevalent worm
families and heuristical analysis of drives’ contents. The detection level is additionally improved through mathematical
signatures, known bad file and folder names databases and digital signature checks using our database of trusted
publishers.
Usage safety and prevention of false detections is performed through multiple verification of legitimacy of files
performed inside the detection routines and, additionally, by cross-referencing the scan results with the legitimate files
database. To ensure the optimal protection level without decrease in functionality, MCShield enables it’s users to add
their own files to the white list – items in this list shall never be detected regardless of how suspicious the program
might consider them.
Program’s main components
Real-Time Monitor – is responsible for background monitoring and detection of new drives.
When a new drive is detected, the Monitor will launch the Drive Scanner and instruct it to perform the scan.
Monitor’s icon ( ) is placed in the notification area (“system tray”). Right click the icon to access the tray menu:
Control Center – opens the Control Center;
Stop the scan – stops the currently running scan (available only during the scan);
Disable/Enable protection – disables/enables the protection;
Game Mode – disables Monitor’s notifications;
Update – performs an update;
Exit – closes the Monitor and disables the protection.
Left double click on the tray icon opens the Control Center.
Drive Scanner – is responsible for drive scanning, detection and removal of malware.
While the scan is in progress, the tray icon will be animated (rotation around the vertical axis) to let you know the
program is working. If the scan takes more than 10 seconds, the Scanner may provide additional notifications in the tray
area.
When the scan is finished, the program will inform you that no malware was detected (if the drive was clean) or provide
a log of all actions that have been taken (in case of infection).
Control Center – enables you to choose the language and visual style, adjust the settings, perform an update, access the
quarantine and the white list. Also, the Control Center provides access to statistics, news from our website and
additional information about the program.
Version 3 of the program comes with a brand new user interface featuring new tabs, options and can be customized by
selecting one of the 4 visual styles.
The following is a screenshot of Control Center using “MCS Blue” theme.
Of course, you won’t see the red rectangles; they’re just there to help us explain different elements on the Status tab.
Other visual styles:
Status tab: our welcome screen providing diverse functions:
1 : the tab area. You’ll see this on all tabs. Just click to open the desired tab
2 : main status area. This is an active area. By clicking the graphical element (✔,−,✖) you can:
enable / disable protection or start the Real-Time Monitor
enable / disable automatic updates
enable / disable MCS Cloud functions
✔ means the protection / option is enabled
− means the protection / option is disabled (not recommended)
✖ means the Real-Time Monitor is not running (not recommended)
3 : this is an active area; click the icon to open our Facebook page, website or to send us an email
4 : “Info bar” provides information about your operating system, online status and selected settings:
or - you are using 32 or 64 bit operating system
or - you are using Windows 7 (or older) or Windows 8 (or newer) operating system
- program has access to www.mcshield.net (grey icon = no access to our website)
- program is set to start with Windows (grey = no autostart)
- initial scan of hard drives is enabled (grey = hard drives are not scanned when program
starts)
- initial scan of flash drives is enabled (grey = flash drives are not scanned when program
starts)
- automatic removal mode is enabled (grey = interactive mode is enabled)
- quarantine is enabled (grey = quarantine is disabled)
- paranoid mode is enabled (grey = paranoid mode is disabled)
- game mode is enabled (grey = game mode is disabled)
5 : Donate button (just in case you wish to support further development of MCShield)
General tab:
Language – language selection
Visual style – visual style selection
Run MCShield when Windows starts – starts the program with Windows (recommended)
Allow MCS Cloud functions – enables statistics, news and reporting (see: MCS Cloud section)
Add “Scan with MCShield” to drives’ menu – adds an option to the drives’ right click menu (Windows
Explorer context menu) that can be used to manually start a scan (administrative privileges are required
to change this option – a log in window or an UAC prompt might appear)
Don’t show initial notifications – disables notifications that appear when the program starts
Don’t show notifications about clean drives – disables notifications about clean drives
Don’t show notifications about infected drives – disables notifications and prompts about infected
drives
Don’t show notifications during the scan – disables notifications that may appear during the scan
Don’t prompt to show logs – disables prompts about whether the log is to be shown or not
Always show the log file in case of infection – if malware was found, show the log file directly
Defaults – selects the default settings on this tab
Scanner tab:
When MCShield starts, scan all:
Flash drives and memory cards – enables initial scan of all flash drives
Hard disk drives – enables initial scan of all hard drives
Perform in-depth signature scan… – enables signature scan of all files on the drive (otherwise: scan only
files in the root of the drive)
… but only in case of infection – enables signature scan of all files on the drive but only if malware has
already been found
Enable extended heuristics – enables the most powerful feature of the Drive Scanner (highly
recommended)
Enable paranoid mode – instructs the Drive Scanner to be extremely aggressive to any executable code
(use with caution and only if you suspect an infection and don’t mind a few false positives)
Delete all suspicious files – deletes even only suspicious files (normally, they are just renamed)
Always unhide items on removable drives – make files and folders on removable drives visible
(normally not necessary, the program will do it automatically in case it detects specific malware)
Interactive mode – enables interactive removal mode
Don’t use quarantine – disables the quarantine (not recommended)
Don’t scan autorun.inf – instructs the Drive Scanner to ignore all autorun.inf files
Default – selects the default settings on this tab (recommended)
Fastest – selects the settings that provide the fastest scan (note: this may decrease detection rate)
Bulletproof – selects the settings that provide maximum protection (normally, not recommended
because the scans take longer time and false positives occur more often)
Update tab:
Enable auto update – enables automatic updates (recommended; note: the Real-Time Monitor must be
running for this to work)
Update every (hours) – sets the interval for automatic updates
Notify when new database is installed – shows a notification when database is updated
Use proxy – instructs the program to use proxy server to perform updates
Proxy address – the address of the proxy server to use
Proxy port – port to use
Username – username to use when working with the proxy server
Password – password to use when working with the proxy server
Update – performs an update
Quarantine tab:
List of items in the quarantine. Right click an item and select a desired action (you can select multiple items).
Refresh – refreshes the list
Restore – restores the selected item(s)
Delete – deletes selected item(s)
Delete all – empties the quarantine
Whitelist tab:
List of your files that the program should ignore. Right click the list and select a desired action.
Add item – choose this to add a new file to the list
Remove item – remove the selected item from the list
Remove all – empty the list
Logs tab:
Here you can view and manage all logs made by MCShield.
Use the horizontal tabs at the top to select a log:
Use the buttons at the bottom to perform actions:
Save – save the currently displayed log to your Desktop as MCShield-Log_Name (ex: MCShield-
AllScans.txt)
Copy – copy the currently displayed log to the clipboard
Clear – delete the contents of the currently displayed log (you will be asked to confirm this action)
MCS Cloud tab:
Stats box displays the statistics.
Items treated (locally / globally) – shows the number of items that the program has treated so far:
Locally – on local computer (current user account); this number is always available
Globally – on all computers that the program is protecting; this number is available only if MCS
Cloud functions are enabled
Total installations (current version / total)
Current version – number of installations of the program version that you have installed
total – a sum of all installations for any version number beginning with 2 or 3
Both of these numbers are available only if MCS Cloud functions are enabled.
News box displays the latest news from our site (available only if MCS Cloud functions are enabled).
About tab:
Provides information about developers and designers and allows access to the Credits section.
Product Info displays details about current installation of MCShield:
version of MCShield
version of all components
version/date of the signatures database
Buttons on all tabs:
OK – saves the settings and closes the window
Apply – saves the settings
Cancel – discards any changes and closes the window
MCS Cloud
This feature is controlled using the “Enable MCS Cloud functions” option and may be disabled if so is desired.
If the option is enabled, the program will contact our server every time you open the MCS Cloud tab in the Control
Center and do the following:
receive the number of installations and treated items (and display the statistics)
send the number of items treated on your computer (just the number, nothing else)
send a file containing information about files that were detected as suspicious during the previous scans (the file
contains MD5 hashes, dates of detection and type designators of infection)
All these functions are meant to provide better user experience and to help us quickly react on any possible false
positives (or to alert us of new malware). Please, consider those facts before disabling these functions.
Note: your personal files or any other personally identifiable information is never send to us.
Your privacy if fully respected and guaranteed. If you have any concerns or need additional clarification regarding this
feature, please disable it, send us an e-mail and we’ll do our best to answer all your questions.
Other components and internet access
Besides Real-Time Monitor (MCShieldRTM.exe), Control Center (MCShieldCC.exe) and Drive Scanner
(MCShieldDS.exe), program uses some other files.
MCProcess.dll and MCDialogs.dll are dynamic link libraries used by the Drive Scanner (they provide several functions
internally used by the Scanner).
There are also several other files: language translations, the database, scan logs, uninstaller, temporary files used during
scans and update.
Components that may use your internet connection:
Control Center (MCShieldCC.exe, when you perform manual update and when you open the Status and MCS
Cloud tabs)
Real-Time Monitor (MCShieldRTM, when you perform manual update using the tray menu item and during
automatic updates)
How does MCShield function?
The explanation is based on default settings.
When the Real-Time Monitor runs, it starts the Drive Scanner and instructs it to perform an initial scan of all partitions
on all fixed drives (HDD) and removable drives (flash drives, memory cards...).
Floppy and optical drives shall never be scanned.
The program scans:
on fixed drives: root folder for the presence of known bad files and folders; certain specific common folders
(note: the program does not scan system folders: ”Documents and settings”, ”Program Files”, ”ProgramData”,
”Users”, ”Windows”; nor shall it ever delete anything residing in those folders);
on removable drives: : root folder for the presence of known bad files and folders; adaptive generic scan; various
generic / heuristic scans whose depth depends on level and type of infection on the drive; if necessary, the
program shall reset the attributes of files and folders modified by malware to enable easy access to those items.
Typical scan duration on fixed drives is 1 – 2 s / drive; in case of infection, it can take a few more seconds.
Typical scan duration on removable drives heavily depends on number of files on the drive and it takes more time if it’s
infected (adaptive scanning – drive that has been found to contain at least one malicious file or folder is going to be
scanned in more detail than the one that is clean). In most cases, the scan takes 2 – 3 s, but in case of infected drives
containing large number of files (5 000 – 10 000 or more) it can take a few minutes.
If no malware has been found on the scanned drives, a notification will appear (”The initial scan is finished”…) and the
program will start monitoring connections of new drives.
If malware has been found, a prompt asking whether to show the log file will appear (the log file will open automatically
in 5 seconds).
After the monitoring has started, the program will silently wait until a new drive is connected. When that happens, a
scan will be performed in a similar manner as already described earlier and an appropriate notification will appear
(describing that the drive is not infected or prompting about a log file if malware has been found).
Automatic removal mode
By default, MCShield automatically reacts on detected malware – it will move malicious files and folders to the
quarantine and rename the suspicious files (adding the ”.vir” extension to the file name).
Interactive removal mode
MCShield running in the interactive mode shall, for most actions and when appropriate/ possible, prompt the user
about actions to take on the detected items.
There are two possible series of prompts: early in the scan and at the very end, during the cleanup process.
The first prompt a user might get is related to detected autorun items. An example of malware being reported:
The type of detection (suspicious or malicious) and listing of detected items.
Yes – process these items as unwanted
No – do not process these items (ignore)
Automatic – switch to automatic removal mode
Details – open the window shown on the next picture
Autorun items are detected by heuristics and can be either suspicious or
malicious. The program lists the detected autorun.inf file and related
executables and folders.
The contents of detected autorun.inf (only first 300 bytes).
File properties and, if digital signature is available, the name of signer.
Possible actions that can be taken.
Clicking No (first picture) will give another prompt asking if you wish to add the file(s) to your white list.
After these autorun related prompts, the scan will continue. If user selected Yes or if other malware was detected during
the scan, the cleanup routine will start and several types of prompts may appear.
Number of items to process and the current position.
What was detected (file or folder) and how (signature, heuristics…).
The name of detected item.
Suggested action and possible choices.
An example of malicious folder (first prompt and Details view):
An example of a prompt that appears when a folder hidden by malware is found (first prompt and Details view):
All prompts a user might see follow the same design pattern and should be, for the most part, self-explanatory.
Important note regarding the interactive mode
Please, for the sake of your system’s security, be very careful when using interactive mode.
Do not, and we mean: DO NOT! ignore any detected file unless you’re 100% sure that it can be trusted.
Even if a file is digitally signed or VirusTotal search gives you a scan with 0% detection, be careful. Always have in mind
that even malware can be digitally signed and that MCShield is a heuristics oriented scanner which can detect new
malware that is still unknown to antivirus vendors.
In other words: use common sense and your own knowledge. If you don’t know for certain that a detected file is good,
don’t rely on other sources of information that tell you so. Instead, let MCShield take care of the file. If it proves to be a
false positive, you can always restore it from the quarantine or rename it back to it’s original name.
Scan logs
There are three scan logs which you can access using start menu, MCShield > Logs (or using the Logs tab in Control
Center).
Last scan – the log containing information about the last scan.
All scans – the log containing information about all scans that have been performed.
Summary – the log containing the summary of all scans.
Examples of scan logs
A typical scan log (clean drive, the log is normally not shown):
6.2.2012 16:50:51 > Drive J: - scan started (no label ~15251 MB, FAT32 flash drive)...
=> The drive is clean.
Date, drive information and the result.
Another clean drive (contains legitimate software that uses autorun files):
26.2.2012 21:44:57 > Drive J: - scan started (no label ~15251 MB, FAT32 flash drive )...
>>> J:\autorun.inf > Legitimate file.
=> The drive is clean.
MCShield has determined that the autorun file is legitimate and ignored it (the log is not shown).
Infected drive:
25.2.2012 10:58:01 > Drive J: - scan started (no label ~15251 MB, FAT32 flash drive )...
>>> J:\autorun.inf > Suspicious > Renamed.
=> Suspicious files : 1/1 renamed.
____________________________________________
::::: Scan duration: 5s :::::::::::::::::::
____________________________________________
A suspicious autorun file was found and renamed to “autorun.inf.vir”.
Infected drive:
23.2.2012 23:31:49 > Drive J: - scan started (no label ~15251 MB, FAT32 flash drive )...
>>> J:\rar.exe - Malware > Deleted. (12.02.23. 23.32 rar.exe.349163; MD5: 8e3ab02406a24c50cc4626a1f8533cc1)
>>> J:\Password.txt.exe - Malware > Deleted. (12.02.23. 23.32 Password.txt.exe.735145; MD5: d2542afa881146780e584b9bfa3d0f92)
>>> J:\365345.exe - Malware > Deleted. (12.02.23. 23.32 365345.exe.108358; MD5: fa8fee025d2f4c820c4b56792747cfad)
>>> J:\auto.exe - Malware > Deleted. (12.02.23. 23.32 auto.exe.890850; MD5: 4cd0bc16a987fa28a4f7d77581a42094)
>>> J:\februar.exe - Malware > Deleted. (12.02.23. 23.32 februar.exe.423332; MD5: 9a4cb98706ebbf5314e907d7ad927fd1)
>>> J:\x.exe - Malware > Deleted. (12.02.23. 23.32 x.exe.600748; MD5: a584f275a6929bc7980c513b04b2d33c)
=> Malicious files : 6/6 deleted.
____________________________________________
::::: Scan duration: 8s :::::::::::::::::::
____________________________________________
The drive was quite infected – six files were quarantined and deleted. The names of the files in the quarantine can be
read from the scan log:
>>> J:\x.exe - Malware > Deleted. (12.02.23. 23.32 x.exe.600748; MD5: a584f275a6929bc7980c513b04b2d33c)
This file’s name is: 12.02.23. 23.32 x.exe.600748 (year.month.day time original file name .unique identifier).
Frequently asked questions
Q: Do I need to pay anything to use MCShield?
A: No, the program is licensed as freeware.
Q: Is MCShield compatible with my antivirus?
A: Yes. The program was designed to work alongside your antivirus and there should be no compatibility issues.
Q: Do I need to configure MCShield in some special way for it to work properly?
A: No, you don’t. The default settings are just fine.
Q: Do I need to configure my antivirus in some way for MCShield to work properly?
A: Normally no, but to get the highest scan speed and to minimize the chances of your antivirus interfering with MCShield, it’s advised to add the
following folders to your antivirus’ exclusion list:
C:\Program Files\MCShield (or any other folder where MCShield is installed)
C:\Documents and Settings\All Users\Application Data\MCShield (for Windows XP)
C:\ProgramData\MCShield (for Windows Vista / 7/ 8/ 8.1)
If your other security software has some sort of HIPS module, all components of MCShield should be added to the Trusted zone (or similar).
Q: MCShield renamed a file – what do I do now?
A: First of all, be careful. The file was renamed because it was suspicious and you should make sure that the file is not malicious in case you decide
to use it anyway. You can upload the file to Virus Total: https://www.virustotal.com/ to see if it’s detected by other antivirus programs (or, send
the file to us so we can analyze it).
Q: MCShield renamed/deleted a file – I think the file is legitimate. What do I need to do?
A: If you’re sure that the file is legitimate, rename it back to it’s original name by removing the “.vir” extension (or restore it from quarantine), add
it to the white list and than send the file (or at least the scan log) to us so we can analyze it and prevent the false detection to occur in the future
scans.
Q: How do I report a malicious file that MCShield did not detect (properly)?
A: Pack the file in an archive (put a password on it and encrypt the file names) and send it to us.
Q: Is MCShield compatible with Panda USB Vaccine? Do I need both programs?
A: Yes, MCShield and USB Vaccine are compatible. USB Vaccine prevents (or at least makes it a bit more complicated) creation of autorun.inf files of
any kind (malicious or legitimate) and by doing that provides a certain degree of protection on legacy operating systems. On the other hand,
MCShield is an anti-malware program capable of detecting and removing not only autorun based worms but also all other non-viral malware
transmitted via removable drives regardless of attack method being used.
Q: Can MCShield detect and disinfect viruses?
A: Some viruses use worm-like techniques to spread to other computers. In those cases, MCShield shall treat the (virus) droppers as worms and
delete them. In case your legitimate programs residing on the flash drive have been infected with a virus (file infector), you need to use an antivirus
to disinfect those files.
Q: My antivirus just reported one of MCShield’s components as malware – what’s this all about?
A: Unfortunately, antivirus programs sometimes make mistakes and recognize legitimate applications as malware – this is called a false positive and
you’ve just witnessed one. As soon as we are informed that some antivirus falsely detects MCShield, we send false positive reports to the vendor in
question. This is usually fixed in a few hours, but sometimes it can take a lot longer. To be able to use the program while the false detection is still
present, you’ll need to add the detected file to the antivirus’ exclusion list.
To speed things up, you can also report the false positive to the company that made the antivirus you’re using. In many cases, the AV program has
an option to report a false positive that you can use. If you’re unable to report the false positive, we would appreciate if you would let us know of
this false detection so we can report it to the vendor.
Q: I already use an antivirus program. Do I need MCShield?
A: Unfortunately, an application that can provide 100% protection against malware doesn’t exist. If you connect flash drives (USB pen drives,
memory cards, cameras, mobile phones, GPS devices etc.) to your computer, the risk for infection increases and getting some help to your antivirus
is a good idea. Most of MCShield’s detections are based on generic routines (heuristics) making the program capable of detecting even new worms
and in that way filling the time gap between when a new malware is released and a signature for it is added to your AV’s database.
Q: Can MCShield provide 100% detection of worms that spread via removable drives?
A: No. We strongly believe that a program capable to detect everything does not exist.
Q: My computer is never connected to the internet and only possible source of infection is a flash drive. I have no antivirus, only MCShield. Is that
enough to provide good protection?
A: We are aware that some people use only MCShield on their offline computers. We believe this makes the computer quite protected against
worms, but an antivirus is still strongly recommended; there could be a legitimate program on the flash drive infected with a file infector or some
setup file repacked with a Trojan – MCShield is not designed to detect that kind of malware.
Q: Do I need administrative privileges on the computer to install MCShield?
A: Yes, you do. The program installs for all users so you must be an administrator or be able to provide administrator credentials to install the
program (you can start the installation even from a limited account – just double click the setup file).
Q: Does MCShield work on limited user accounts?
A: Yes, it does.
Q: I installed MCShield on administrator account. When I log on to my other accounts, the program is not running. What’s wrong?
A: Basically, nothing. The program installs for all users, but the settings are per user. After you install the program and log on to some other
account, start Real-Time Monitor and Control Center and select the desired settings (this is only necessary once per user account).
Q: Whenever I connect my flash drive, MCShield detects the same malware. Why is this happening?
A: It is possible that you PC is already infected so the drive gets reinfected after MCShield cleans it. Please, run a scan with your antivirus.
If that doesn’t help, you can ask for help on a malware removal forum
http://www.mycity.rs/?part=1 (Serbian / Croatian language)
Forums in English and other languages that provide help in malware removal:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix#forums
Please note that the free help on these forums is provided by trained, dedicated volunteers: show patience when waiting for help, follow their
instructions and don’t forget to say “thanks” – they deserve it.
Q: Damn, this program sucks!
A: We are really sorry you think so, but we appreciate the feedback. Could you send us an email and tell us what’s wrong?
Q: OMG, this program is great! Can I help in some way?
A:
Do you speak a language that is currently not supported by MCShield and would like to help us with translation? Is so, let us know and we’ll give
you the instructions on how to proceed with the translation.
Q: I have a question not answered here. Where can I ask?
A: If you have any other questions or comments, send us an email (available on the About tab and our website).
You’re also welcome to register on our forums (although the forum is in Serbian, feel free to open a new topic in English language):
http://www.mycity.rs/MyCity-Laboratorija/
You can register / log in with your Facebook account or using this page: http://www.mycity.rs/profile.php?mode=register
