How to create a bootable endpoing scanning USB thumb drive for windows

Jun 6, 2013 at 10:00 PM
Organizations often need the ability to scan the files of a PC or laptop for malware via an external system rather than from the PC itself. For example, a facility might need to allow contractor owned laptops to enter secure areas, but want to first scan all the files on these laptops to ensure all are free of malware. Another organization could want to make sure all files on its computers are free of malware, even those kernel level driver files that are often hidden from file systems when being used by the resident operating system of that computer.

There are many free products available to create bootable USB thumb drives and “Live” CD/DVDs, which allow you to boot into an operating system on that media while having access to a host computer's resources. The question is, can you configure the thumb drive to have not only the operating system but also an endpoint scanning client that will have the ability to scan the files on the host system for malware? OPSWAT decided to answer that question by building a thumb drive solution consisting of a bootable thumb drive embedded with our Metascan Client application, which uses multiple antivirus engines to multi-scan endpoint files and drives for malware. In this solution, Metascan Client is configured to autostart upon boot-up and begin transmitting all of the files on the host computer to a predefined local Metascan Server.

OPSWAT's bootable USB thumb drive is created with standard open source software packages as well as OPSWAT's own Metascan and Metascan Client software. We would like to share our steps as a tutorial below for others to create the thumb drive themselves, and we are also making the solution available for download. You can choose from several configuration options of the bootable USB thumb drive, which offer varying levels of flexibility and complexity:

Default Configuration: With this option, you can download our prebuilt "Bootable USB Thumb Drive with Metascan Client" ISO and simply apply it to a USB thumb drive using IsoToUsb or a similar product. To use this option, your machine hosting Metascan Server must have an internal DNS name of "MetascanServer". Detailed instructions on deploying the default configuration are listed here.

Advanced Configuration: With this option, you make use of the WinBuilder project that we built (see our steps below), but replace our Metascan Client with one that you generate from your server. You will then need to use WinBuilder to generate the ISO and apply it to the USB thumb drive using IsoToUsb or a similar product. Instructions on creating and deploying the advanced configuration are available here.

Custom Configuration: This option allows you to custom build your own ISO using WinBuilder, giving you the most flexibility to configure the thumb drive. Step by step instructions showing how we built our configuration and how to use the USB thumb drive are listed below.
How to create a Metascan Client Bootable USB Thumb Drive for Windows

Prerequisites

Metascan with Metascan Client
This solution is based on the premise that you have installed Metascan and are familiar with Metascan concepts, including the generation of Metascan Clients that can communicate with that server. If you are not familiar with Metascan or Metascan Client, please visit the product pages. Metascan Client comes as part of the Metascan package starting with Metascan 3.7.1.

An empty thumb drive with a minimum capacity of 1GB

A licensed Microsoft Windows 7 installation CD or ISO
This will be the Windows OS that gets put on the thumb drive

An ISO virtualization product such as powerISO
This is only needed if your Windows installation source is an ISO and you don’t want to burn it to CD

WinBuilder
This is a free application designed to build and customize boot disks (Live CDs) based on Microsoft Windows (WinPE). There are several sites that host the WinBuilder application. In the process described here, the software was downloaded from http://reboot.pro/files/file/4-winbuilder/ because this is the site recommended by the product’s author. If you plan on using WinBuilder for commercial purposes, you should contact Nuno Brito (mail@nunobrito.eu).
A network driver pack
The pack should include drivers for the common network cards used in Windows machines. The more drivers, the wider spectrum of computers you can support. You can download the driver pack that we used here.

Access to a virtual machine
This is required to verify the ISO before applying it to the USB. We used VMWare to test and validate the process listed here.

ISO to USB conversion software
For this solution, we use the application ‘ISO to USB’, which is available on a number of sites including CNET’s Download.com.
A note about third party software: OPSWAT is not responsible for the third party software that needs to be downloaded for this solution. During our testing of this solution, we scanned all of the downloaded files using Metascan Online to ensure that they do not contain malware, and we recommend that you do the same. OPSWAT expects users of this solution to make sure that the software is being used in compliance with its EULA. Please also note that software from third party sites, including CNET’s Download.com, is often bundled with other software (e.g. browser toolbars and plug-ins) that needs to be explicitly rejected from download by the user.

Set up

Create a working folder at the root of the partition drive. We call our folder C:\WinPE and will refer to that name in these instructions.

Place your “WinBuilder.exe” file in C:\WinPE and double click to launch it. This will open WinBuilder’s “Download Center” where you choose the projects you will be using to build the “Live CD”.
Check the updates.boot-land.net (it should be checked by default)

Check the W7pese.cwcodes.net (see diagram A)

Press the “Download” button (see diagram A)

Diagram A (click to enlarge)


Once the download is complete, you will get a popup window to confirm that you want to start WinBuilder. Accept the request, and you will see the WinBuilder application appear. For the next steps, however, you will momentarily stop using the WinBuilder application.

Install Metascan Client into the proper location by following these steps:
Generate Metascan Client (32 bit version) configured with the following specs:
i. To connect to your Metascan Server’s IP address

ii. To scan for Folder/Drive scan (process scan is not relevant, since you do not plan to scan the running processes of the USB Thumb Drive)

iii. To scan for custom scan and full scan (fast scan and deep process scan are not relevant, since you do not plan to scan the running processes of the USB Thumb Drive)

Create a new folder “MetascanClient” and copy the client file into it

Copy “MetascanClient” into “WinPE\Projects\Win7PESE\Apps\Portable\PStart”

Download the MetascanClient.script file and put it in “WinPE\Projects\Win7PESE\Apps\Portable\”
Note: To view contents of this file, open it in Notepad, Notepad+, Wordpad, or any other text editor

Apply the network drivers:
Create folder named “WinPE\DriverPacks_x86”

Copy DP_LAN_wnt5_x86-32_1009.7z to “WinPE\DriverPacks_x86”

Download the DriverPacks.script file and overwrite the existing file in “WinPE\Projects\Win7PESE\Drivers\DriverPacks.script”
Note: To view contents of this file, open it in Notepad, Notepad+, Wordpad, or any other text editor

Build a new ISO that contains Windows PE with a configured Metascan Client:
Mount Windows 7
i. If using an ISO file, use the ISO virtualization tool (like powerISO)

ii. If using an install CD, make sure it is in the computer

Go back to your open WinBuilder application (or launch “WinPE\WinBuilder.exe” if it is not already open).

Check Internet Explorer 8 in the “Components” folder of the left hand menu (see diagram B below).

Check any other desired applications in the “Components” folder of the left hand menu. The boxes checked in diagram B represent the configuration we used.
Diagram B (click to enlarge)


If you are using a proxy, check IE Proxy Settings in the “Components” folder of the left hand menu and enter Proxy and Port information in the center pane (see diagram C below)
Diagram C (click to enlarge)


Check the Metascan Client entry, which is in the “Apps” -> “Portable” folder of the left hand menu. (see diagram D below) Note: Make sure “Add to Autorun MyApp” remains unchecked.
Diagram D (click to enlarge)


In the “Drivers” section of the left hand menu, choose the “Driver Package Installer” option (see diagram E)
i. In the right pane, navigate to “x86 Driver Packs” field and then browse folder by clicking the folder icon

ii. Choose folder “WinPE\DriverPacks_x86”. Check “Load drivers at startup”

Diagram E (click to enlarge)


Press the Source tab, located in the top of the right of the main pane (see diagram F)
i. In the “Source directory” field: Choose the CD or Virtual CD drive with the Windows 7 installer (please refer to “Set up” section – step 5a) In Source directory, choose the CD or Virtual CD drive with the Windows 7 installer.

ii. In the “Target directory” field: %baseDir% is the directory you created in the first step of this setup section (step 1)

iii. In the “ISO file” field: Please remember this location in order to collect the created ISO file after building progress, and then use it to burn to USB.

Diagram F (click to enlarge)


Choose the virtual software you plan to use to test the boot drive once you have configured it (see diagram G)
Diagram G (click to enlarge)


Press play button (located near the top right corner of WinBuilder). This will build an ISO of your newly configured boot disk
Diagram H (click to enlarge)

To read more visit, http://www.opswat.com/blog/how-create-endpoint-scanning-bootable-usb-thumb-drive-windows