Sheep dip machine?

[e-class]

I'm thinking of putting in a sheepdip machine for staff/students to virus check USBs or CDs etc BEFORE they put them into network PCs.

So I have a basic PC which will have 'Steady State' on but am wondering how to do the virus scan bit. I'm thinking of having a simple little app with a few buttons on to do, say Scan USB, Scan CD etc.

So shall I use command line scanners? Maybe use 2 different ones? Them how do I make my app from this.

I'm guessing people have already done something like this.

Your valuable advice again please!

[Steve21]

Is there any reason to have this instead of realtime scanning? Most AVs will scan as soon as the files are found/opened anyway, and I'm assuming most people wouldn't check on a standalone computer as they "have no time!!!"

In terms of what you want, just setting up some autorun scripts would be best, when it's detected USB/CD it runs virus scan.

Steve

[SimpleSi]

One of my schools got badly infected and I just simply set up an old machine and a shortcut on the screen to scan a pendrive when its plugged in.
I plug the net cable in once a week and run Sophos Update and then unplug it again. Not theoretically foolproof but has worked fine in practice

Simon

[synaesthesia]

Really can't see the point in a sheepdip machine any more - takes space and is highly inconvenient for everyone involved. With autorun disabled, inability to run executables from USB drives and CD - well, you still use those?

[Arthur]

Not theoretically foolproof

Exactly! When the next exploit comes along which uses USB flash drives and external HDDs to propagate (see Stuxnet, Chymin, Dulkis, Zbot, Sality), the sheep dip machine will be the computer infecting the rest of your network. Even with AutoRun disabled, you are not safe.

It starts with a yet unexplained flaw in Windows that allows a Windows shortcut file (.lnk) placed on a USB device to run a DLL simply by being viewed. This means that, even with AutoRun and AutoPlay disabled, you can open a removable media device (USB) and execute malicious code without user interaction. The danger associated with this attack is large considering how many computers were infected through USB devices by Conficker using the AutoPlay functionality. If you can execute malware even when AutoPlay is disabled, the risk is very high. (Source)

[john]

Was I the only EG member thinking you were on about a PC to help dip sheep? I've NEVER heard people call a machine to AV stuff before using on the LAN a sheep dip machine!

[Arthur]

I've NEVER heard people call a machine to AV stuff before using on the LAN a sheep dip machine!

Sheep-dipping used to be popular in the Novell Netware/Windows 3.11 days. Back when Dr Solomon's Anti-Virus was still around.

[ricki]

Hi

Have a look at http://www.edugeek.net/forums/securi...nserted-2.html

This is how I helped solve the problem.

Richard

[e-class]

Thanks for the replies.

A couple of things really.

The PCs do have on demand scanning but I want to put an extra level of checking in after some nasty virus problems last year.

It's only a very small school so not to concerned if they have to spend 5-10ins scanning their USBs. It'll teach them a lesson ... ;-)

Thanks for the link, will look at it.

Just want them to put their USBs in and then click a button to say scan now.

Just thought someone would have done this previously.

Also want to use something similar in a community centre. Think it would be really handy there for anyone to use.

Thanks ... more advice please?

[Steve21]

The PCs do have on demand scanning but I want to put an extra level of checking in after some nasty virus problems last year.

It's only a very small school so not to concerned if they have to spend 5-10ins scanning their USBs. It'll teach them a lesson ... ;-)

Thing is if the on scan, and normal scan is the same software it should either both pick it up or both miss it

and you say 5-10mins, but if you're doing it properly wouldn't it be whole class scanning every lesson? End of day viruses come from home, only scanning once a month etc, is kind of a waste.

Steve

[SimpleSi]

Just thought someone would have done this previously.

I just simply stuck a note on the side of the monitor to say do right-click and then select Scan drive

If you want to automate further then, prob AutoIt would do the job but I never bothered

Simon

[Arthur]

Just want them to put their USBs in and then click a button to say scan now.

What anti-virus software do you currently use? Some (like NOD32 v5.0 from ESET) can be setup to automatically start a scan as soon as the flash drive is inserted and block drives which haven't been scanned.

[john]

Sheep-dipping used to be popular in the Novell Netware/Windows 3.11 days. Back when Dr Solomon's Anti-Virus was still around.

Hehe I remember Dr Solomons we had it on the PCs when I was at school and Windows 3.11 scary

[AyatollahPies]

Exactly! When the next exploit comes along which uses USB flash drives and external HDDs to propagate (see Stuxnet, Chymin, Dulkis, Zbot, Sality), the sheep dip machine will be the computer infecting the rest of your network. Even with AutoRun disabled, you are not safe.

Not if your sheepdip machine is Linux based.

[joe_Burge]

If you are going to have a sheep-dip machine in reception, there are a few good things you can do to make it really worth while.

1. Use a different anti virus application than you do on the rest of your computers, this will increase your chances of detecting something nasty.
2. Where you will switch off some options as a trade off to speed on your desktop PCs, enable every single option you can on your sheep dip PC. If that's all the PC is being used for people won't mind it being a bit slower.
3. Update as often as you can, weekly is absolutely too infrequent to be safe. Most modern anti-virus applications check for updates every 4 hours so daily updates should be a minimum.
4. Consider running a dedicated malware scanner also, there are some decent free ones around such as superantispyware, unlike running two anti-virus applications, this should not cause a conflict.
5. Consider running something like DeepFreeze to completely lock the state of the sheep dip PC as even with all of the precautions that can be taken, in time (in some cases a very long time), your odds of infection are 100% and the ability to instantly revert to a known clean state is invaluable.