How to create an Endpoint Scanning Bootable USB Thumb Drive for Windows

Organizations often need the ability to scan the files of a PC or laptop for malware via an external system rather than from the PC itself. For example, a facility might need to allow contractor owned laptops to enter secure areas, but want to first scan all the files on these laptops to ensure all are free of malware. Another organization could want to make sure all files on its computers are free of malware, even those kernel level driver files that are often hidden from file systems when being used by the resident operating system of that computer.

There are many free products available to create bootable USB thumb drives and "Live" CD/DVDs, which allow you to boot into an operating system on that media while having access to a host computer's resources. The question is can you configure the thumb drive to have not only the operating system but also an endpoint scanning client that will have the ability to scan the files on the host system for malware? OPSWAT decided to answer that question by building a thumb drive solution consisting of a bootable thumb drive embedded with our MetaDefender Client application, which uses multiple antivirus engines to multi-scan endpoint files and drives for malware. In this solution, MetaDefender Client is configured to auto start upon boot-up and begins transmitting all of the files on the host computer to a predefined local Metascan Server.

OPSWAT's bootable USB thumb drive is created with standard open source software packages as well as OPSWAT's own MetaDefender Core and MetaDefender Client software. We would like to share our steps as a tutorial below for others to create the thumb drive themselves, and we are also making the solution available for download.

This is the second revision of the USB drive, which offers improvements that decrease the number of steps and general complexity required to build a fully customized drive. A PDF version of this step-by-step guide can be found here. If you are interested in a pre-built solution with customization options, please refer to our knowledge base article on the MetaDefender Core USB Default Configuration.

How to create a MetaDefender Client Bootable USB Thumb Drive for Windows

Prerequisites

  • MetaDefender Core with MetaDefender Client
    This solution is based on the premise that you have installed MetaDefender Core and are familiar with MetaDefender Core concepts, including the generation of MetaDefender Clients that can communicate with that server. If you are not familiar with MetaDefender Core or MetaDefender Client, please visit the product pages. MetaDefender Client comes as part of the MetaDefender Core package starting with MetaDefender Core 3.7.1.
  • An empty thumb drive with a minimum capacity of 500MB
  • A licensed Microsoft Windows 7 32-bit installation CD or ISO
    This will be the Windows OS that gets put on the thumb drive.
  • An ISO virtualization product such as powerISO or Virtual CloneDrive
    This is only needed if your Windows installation source is an ISO and you don't want to burn it to CD
  • Make_PE3
    This is a free application designed to build and customize boot disks (Live CDs) based on Microsoft Windows (WinPE). There are several third-party sites that host the Make_PE3 utility, but we recommend that you download the package from us so that you can take advantage of our previous customizations.
  • Access to a virtualization tool
    Virtualization software is optionally used to verify the ISO integrity before applying it to the USB. We used VMWare to test and validate the process listed here.
  • ISO to USB conversion software
    For this solution, we use the application 'ISO to USB', which is available on a number of sites including CNET's Download.com. Other solutions which can build bootable media from an ISO image will also suffice.

A note about third party software: OPSWAT is not responsible for the third party software that needs to be downloaded for this solution. During our testing of this solution, we scanned all of the downloaded files using MetaDefender Cloud to ensure that they do not contain malware, and we recommend that you do the same. OPSWAT expects users of this solution to make sure that the software is being used in compliance with its EULA. Please also note that software from third party sites, including CNET's Download.com, is often bundled with other software (e.g. browser toolbars and plug-ins) that needs to be explicitly rejected from download by the user.

Set up

  1. Unzip the "MetascanBootableUSB" folder from the OPSWAT Make_PE3 package into the root directory.

    Root Directory
  2. Navigate to "C:\MetascanBootableUSB\PE3_mod\PE3_add\x86\Program Files\MetascanClient". Inside this folder is "MetascanClientConf.ini", which we will edit.
    1. Set the value "server" to the IP address of your Metascan server. Make sure to leave the ":8008/metascan_rest" portion after the IP address
    2. Optionally set the "maximum_file_size_bytes" parameter
      Optionally set the "maximum_file_size_bytes" parameter
  3. If you have any drivers you wish to be available to the live environment, copy them into the folder "C:\MetascanBootableUSB\PE3_mod\WIN7_drivers\x86".

  4. Insert the Windows 7 disk or mount the ISO with your utility of choice.

  5. Run "C:\MetascanBootableUSB\Make_PE3.cmd". Press any key when it prompts you.

    1. If UAC is enabled, you need to right click it and run as Administrator
  6. At the prompt, press 1, and then Enter.
    Prompt
  7. Select the drive containing the Windows 7 disk.
    Windows 7 Location
  8. In the tool, enter 2, and then press Enter. Make yourself a cup of tea while your final ISO is generated. Typically on our machines it takes between three to five minutes.
  9. The tool will eventually show the following screen which indicates the path to your finished ISO.
    Finished ISO
  10. If you would like to test the ISO, use your virtualization tool of choice to boot a VM with the ISO mounted. *Note: this step is optional.
  11. It is now time to burn the ISO to a bootable USB. The ISO to USB tool makes this a breeze; run it and get to the following screen:
    1. In the "ISO File" field, select the ISO file generated above. It should look something like "C:\MetascanBootableUSB\win7pe_x86\7pe_x86_E.iso"
    2. In the drop-down "Drive" field, select the drive letter of your USB drive, double check this.
    3. Leave the "File System" field at FAT32, set the "Volume Label" to whatever you want.
    4. Make sure the "Bootable" checkbox is ticked.
    5. Double-check everything, especially the drive letter of the USB (if you accidentally select, for example, an external hard drive or data partition, it will be wiped). Click "Burn".
      Burn USB
  12. Wait for the tool to finish, and you are done. Congratulations!

How to use your MetaDefender Core Client Bootable USB Thumb Drive for Windows

In order to use the USB thumb drive, the following steps should be taken:

  1. Make sure the Windows machine to be scanned is connected via LAN to the network that hosts your Metascan Server. Note that Wi-Fi will not suffice because the USB thumb drive does not have the necessary Wi-Fi network drivers.
    If you do not have a network you can connect the computer to, check out our follow-up post for directly connecting the laptop to another machine with Metascan installed.
  2. 2. Upon startup of the Windows machine, press the keyboard key required to stop automatic boot up from the machine itself. Typically, this key is displayed on the screen when the machine is first started. (Often times it is either the 'ESC' or 'F12' key).
    Diagram I (click to enlarge)
    Diagram I
  3. Once interrupted, you should get a character mode display asking from which source you want to boot the machine. The bootable thumb drive is typically displayed as "USB" or "removable device".
    Diagram J (click to enlarge)
    Diagram J
  4. You will see a series of additional messages and popups as the machine boots with the USB. These show processes, steps and progress within the boot process. You can wait while the computer cycles through these screens. Examples of these screens are shown in diagrams K and L.
    Diagram K (click to enlarge)
    Diagram L (click to enlarge)
    Diagram KDiagram L
  5. Once booted, the Metascan Client will launch and start scanning the host computer's file system.
    Diagram M (click to enlarge)
    Diagram M
  6. The Metascan client will now allow you to run a full system scan or a custom scan of specific files/folders. To start a scan of the entire hard drive, leave "Full Scan" selected and click the large blue "Scan" button.

Limitations of the Bootable USB Thumb Drive

Users of Metascan Client Bootable USB thumb drive should be aware of a few limitations of this solution:

  1. The bootable USB thumb drive will not be able to mount encrypted or non-Windows formatted drives of the computer being scanned.
  2. The bootable USB thumb drive will not be able to scan running processes of the computer being scanned (since the running processes are those of the live environment, not of the host computer).
  3. The host computer needs to be connected to your network via ethernet cable. The USB thumb drive cannot make use of the computer's Wi-Fi features.
  4. Some network drivers are not included in the driver pack applied to this boot drive. If the boot drive does not recognize the network card on the computer being scanned, this means it does not contain the driver for that network card. In this case, you can do two things:
    1. Log a ticket with OPSWAT at my.opswat.com/hc/en-us/requests and send us the driver (or just tell us the computer model and network card and we will find the driver), and we will incorporate it into the next release of our thumb drive ISO and associated projects.
    2. For an immediate (but temporary) resolution, take the network driver file from the computer's file system and transfer it to the USB thumb drive. Note that the network driver will be removed from the drive once you shut down the operating system or remove the driver from the host system.
    3. If you are familiar with the Winbuilder application (e.g. if you followed our instructions for the Advanced Configuration or the Custom Configuration of the Metascan Client bootable USB thumb drive), you can add the driver to the Winbuilder project, regenerate a new ISO, and apply that ISO to your thumb drive by following the instructions outlined in our KB article on adding network drives.
  5. Scanning time is proportionate to the number and size of files being scanned as well as the number of engines on your Metascan server. A full scan of a typical laptop hard-drive can take several hours to several days.
Tags: Vmware
Sign up for Blog updates
Get information and insight from the leaders in advanced threat prevention.