Prevent scan of selected removable devices?
I have a set of USB flash drives that Bitdefender scans every time they are inserted. This is wasted effort and causes a flood of alerts from Macrium Reflect's Image Guardian as BD scans Reflect backups. I want to indicate to BD that these devices are safe. How do I do that?
If that can't be done, how do I disable scanning of removable devices?
Update: I found the option that lets choose to scan or not when a USB drive is plugged in. That's better than nothing, but I was hoping for some sort of exclusion list (based on drive label, I guess).
BTW, am I the only one irritated by BitDefender's asking if I want to "Immunize" the device? If anything, I might want the device scanned, not injected with a killed or attenuated virus.
Answers
-
Hi @pokeefe0001
You can also set the USB scan options to "ask every time" so this way you can decide which USB device you want to scan and which one you don't want to scan when plugging in a USB device.
1 -
Hello,
The Autorun feature built into Windows operating systems is indeed a very useful tool that allows devices to automatically execute a file from media connected to it. Unfortunately, this feature can also be used by threats to automatically launch and infiltrate your device from rewritable media such as USB flashdrives and memory cards connected through card readers. Numerous Autorun-based attacks have been created in recent years. With USB Immunizer, you can prevent any NTFS, FAT32 or FAT formatted flash drive from automatically executing threats ever again. Once an USB device is immunized, threats can no longer configure it to run a certain app when the device is connected to a device running Windows.
Regards
Premium Security & Bitdefender Endpoint Security Tools user
0 -
Calling this feature "Immunizer" is irritating, "cute" advertising hype. Try treating your customers as adults. And hopefully security conscious users already had Autorun disabled.
I assume BT asks permission before modifying anything on the USB device. Yes?
0 -
Yes @pokeefe0001, it will ask for permission before anything else.
That's how this feature is called and it has nothing to do with advertising, but with device security.If the storage device has been plugged into an infected computer for example, the piece of malware will be unable to create its autorun. inf file, thus annihilating any chance of auto-launching itself. It's what it does after all, how should they call it, "USB cleaner"? 😄
For years, Autorun-based malware has been atop of the worldwide e-threat landscape, with notorious representatives such as Trojan.AutorunInf, the Conficker worm (Win32.Worm.Downadup), Worm.Autorun.VHD or the fearsome Stuxnet. Since early 2009, malware exploiting the Autorun technology in order to subsequently infect other computers via flash disks has significantly increased. Trojan.AutorunINF has been world’s number one e-threat since the second half of 2009.
The Bitdefender USB immunizer is the response to this growing issue. Divided in two sections, this small utility is able to protect both your storage device and your computer.You would hope that security conscious people would have Autorun disabled, but the reality is not everyone is aware of this type of malware. For sure, many users don't even pay attention to such details in their daily activities, and this is not about user "treatment", it's about a security feature that can help you avoid real headaches.
Regards
Premium Security & Bitdefender Endpoint Security Tools user
1 -
Bitdefender doesn’t have a specific exclusion list for removable drives based on labels
0 -
Thanks for the background explanation, @Alexandru_BD.
The "USB Immunizer Recommendation" dialogue box is shown in another forum post.
I have to say that I partly agree with @pokeefe0001, in the sense that calling it only "Immunize" with no further information in the dialogue box would not be clear to most users. Is it a good name for the process (now that I have read the explanation above)? Yes. But the name alone is not enough to make the action evident to most users.
Consequence? Users who click "OK" on every message without worrying about reading it carefully will click "Immunize USB" (~50% of users?). Users who only click OK if they understand & agree with what's in front of them will click "Cancel" (45% of users?). Users who are willing to do lots of homework to research the topic will click "Immunize USB" (~5% of users?). I don't think that's a great result.
There is something else strange/counterintuitive about the settings.
- When "Scanning flash drives" is set to "Autoscan" the drive is scanned automatically, but there's no prompt to (optionally) immunize the drive!
- When "Scanning flash drives" is set to "Ask every time" there is a prompt to (optionally) immunize the drive, but the files on the drive are not scanned!
- When "Scanning flash drives" is set to "Disabled" there is a the drive is not scanned automatically, and there's also no prompt to (optionally) immunize the drive!
This perpetuates the confusion: the settings in the main GUI only talks about scanning. There's no ability to manually trigger "immunization" of a drive, or to say whether "immunization" should happen automatically, or after asking, or never. Why do the settings for scanning have such a strange effect on whether the user is able to immunize the drive?
And is there actually any way to manually initiate immunization of a USB drive (regardless of the setting for "Scanning flash drives").
Also, is there an easy way to know whether a drive has been successfully immunized? As a workaround, it seems if "Ask every time" is set, then the immunization prompt will only be shown for unimmunized drives. But that that won't work for the other two settings.
0 -
-
Scan and immunize are two different operations. When something is set on auto (Autoscan in this case), the presumption is the user does not want to be disturbed. Hence, no additional dialogs are presented, such as "Do you want to immunize" etc. On "Ask" type of setting, yes, the user is consulted about how to continue and is presented various actions, such as immunize. (The fact the files on the drives are not scanned I'm not sure yet why, but sounds like a bug to me - still, it should be confirmed that is happening, or is simply something by design).
Immunization is intended to be more of a standalone operation, and its presence (or not) is seen by the fact the contextual menu displays the Immunize menu item for a drive not immunized, or does not display this item for an already immunized drive. I am not entirely sure why (not being part of discussions when the feature was designed) but this is what I remember.
About the manual way of immunizing a drive, this can be done AFAIK only from explorer by right-clicking the drive. There is no correspondent in the main interface.
2 -
Thanks for sharing your insights, @camarie.
Your comments regarding a lack of interruption when set to "Auto" are logical. However, I would point out that even with the "Auto" setting a message is already displayed by BD. But the message mentions only scanning, and does not mention immunising. From what you say, logically it should mention both (not as a question, but as a statement) — if there is going to be a notification (which I think is OK, although perhaps with an option somewhere for individual users to specify their preference that no notifications be shown for "Auto" scan-and-immunise).
On the other hand, the USB stick/thumb drive that was newly immunised in January 2025 must have been scanned dozens of times during 2024 (not to mention 2023), when the "Auto" setting was in force. That circumstance suggests that automatic scanning did not include immunisation!
I agree that on the "Ask" setting both immunisation and scanning should occur, and should both be mentioned in the dialogue box. It does not seem to be the case currently.
Regarding immunisation status, I think this would be good to display together with the scan results in case the user does a manual scan of an external drive:
Example:
~~~~
DRIVE SCAN RESULTS
10023 files scanned
0 suspicious files found
…
DRIVE IMMUNISATION STATUS
Immunised against autorunning of threats? Yes
~~~~
Notice that I've expanded from just "immunisation" to hint at what this really means. Otherwise many users will (wrongly) assume that
immunised = scanned, and found to be clean
or
immunised = scanned, and all threats neutralised
Also notice that I have tried to employ two (sub)headings, to indicate that scanning and immunisation are distinct things.
It's good to know that there is a way to manually request immunisation of a drive, although it does seem like a question as to whether that should also be possible from the main BD GUI. Either as a standalone 'button', or else as an extra prompt that comes up for relevant manual scan requests. E.g. if the user requests a manual scan of an external drive, BD could pop up a message saying "Would you like to immunise the drive too?" if it hasn't already been immunised — not to say that's the most user-friendly way of handling it, just brainstorming at this point.
Regards,
DIVERSE
0 -
Displaying both messages regarding scan and immunization: you are probably right.
About the second thing: immunize is not equivalent with scanning. Scan does a lot more than immunize, which is intended to protect mainly the autorun feature, while scan examines more (I don't know the entire palette of operations, but I suppose it is looking it at files, file system, perhaps boot etc.).
1 -
I have notified the team about your comments. I'm not sure if or how this will get improved, but points taken. Thank you for your feedback!
1