MCShield ::Anti-Malware Tool::

v 2

MCShield is an antimalware tool designed to prevent infections transmitted via removable

drives (USB flash drives, memory cards (cameras, phones, GPS devices…), external hard

drives).

Program features:

automatic mode which makes use of this software possible to everyone regardless of their operating system and

malware related knowledge;

interactive mode for advanced users who desire more control;

detection of newly connected drives and automatic scanning;

ultra fast scanning of root and certain special folders on the hard drives and adaptive scanning of removable

drives;

signatures and program updates using the integrated update tool;

completely negligible impact on system performance;

optimal functionality without any additional settings;

possibility to modify the programs behavior according to specific user’s needs;

creation of backup copies of everything that program detects and deletes;

real-time global statistics;

completely freeware...

The largest part of MCShield’s detections is based on generic routines designed for detection of certain prevalent worm

families and heuristical analysis of drives’ contents. The detection level is additionally improved through mathematical

signatures and known bad file and folder names databases.

Usage safety and prevention of false detections is performed through multiple verification of legitimacy of files

performed inside the detection routines and, additionally, by cross-referencing the scan results with the legitimate files

database. To ensure the optimal protection level without decrease in functionality, MCShield enables it’s users to add

their own files to the white list – items in this list shall never be detected regardless of how suspicious the program

might consider them.

Program’s main components

Real-Time Monitor – is responsible for background monitoring and detection of new drives.

When a new drive is detected, the Monitor will launch the Drive Scanner and instruct it to perform the scan.

Monitor’s icon is placed in the system tray area. Right click the icon to access the tray menu:

Control Center – opens the Control Center;

Stop the scan – stops the currently running scan (available only if the scanner is active);

Disable/Enable protection – disables/enables the protection;

Game Mode – disables Monitor’s notifications;

Update – performs an update;

Exit – closes the Monitor and disables the protection.

Left double click on the tray icon opens the Control Center.

Drive Scanner – is responsible for scanning of new drives.

While the scan is in progress, the tray icon will be animated (rotation around the vertical axis) to let you know the

program is working. If the scan takes more than 10 seconds, the Scanner may provide additional notifications in the tray

area.

When the scan is finished, the program will inform you that no malware was detected (if the drive was clean) or provide

a log of all actions that have been taken (in case of infection).

Control Center – enables you to choose the language, adjust the settings, perform an update, access the quarantine and

the white list. Also, the Control Center provides statistics and additional information about the program.

General tab:

Language – language selection

Run MCShield when Windows starts – starts the program with Windows (recommended)

Allow MCS Cloud functions – enables statistics and reporting (see: MCS Cloud section)

Don’t show notifications about clean drives – disables notifications about clean drives

Don’t show notifications about infected drives – disables notifications and prompts about infected

drives

Always show the log file in case of infection – if malware was found, shows the log file directly

Don’t show initial notifications – disables notifications that appear when the program starts

Don’t show notifications during the scan – disables notifications that may appear during the scan

Don’t prompt to show logs – disables prompts about whether the log is to be shown or not

Defaults – selects the default settings on this tab

Scanner tab:

When MCShield starts, scan all:

Flash drives and memory cards – enables initial scan of all flash drives

Hard disk drives – enables initial scan of all hard drives

Perform in-depth signature scan… – enables signature scan of all files on the drive (otherwise: scan only

files in the root of the drive)

… but only in case of infection – enables signature scan of all files on the drive but only if malware has

already been found

Enable extended heuristics – enables the most powerful feature of the Drive Scanner (highly

recommended)

Always unhide items on removable drives – make files and folders on removable drives visible

(normally not necessary, the program will do it automatically in case it detects specific malware)

Delete all suspicious files – deletes suspicious files (normally, they are just renamed)

Enable paranoid mode – instructs the Drive Scanner to be extremely aggressive to any executable code

(use with caution and only if you suspect an infection and don’t mind a few false positives)

Don’t use quarantine – disables the quarantine (not recommended)

Interactive mode – enables interactive removal mode;

Default – selects the default settings on this tab

Fastest – selects the settings that provide the fastest scan (note: this may decrease the detection rate)

Bulletproof – selects the settings that provide maximum protection (normally, not recommended

because the scans take longer time and false positives occur more often)

Update tab:

Enable auto update – enables automatic updates (recommended; note: the Real-Time Monitor must be

running for this to work)

Update every (hours) – sets the interval for automatic updates

Notify when new database is installed – shows a notification when database is updated

Use proxy – instructs the program to use proxy server to perform updates

Proxy address – the address of the proxy server to use

Proxy port – port to use

Username – username to use when working with the proxy server

Password – password to use when working with the proxy server

Update – performs an update

Quarantine tab:

List of items in the quarantine. Right click an item and select a desired action (you can select multiple items).

Refresh – refreshes the list

Restore – restores the selected item(s)

Delete – deletes selected item(s)

Delete all – empties the quarantine

Whitelist tab:

List of your files that the program should ignore. Right click the list and select a desired action.

Add item – choose this to add a new file to the list

Remove item – remove the selected item from the list

Remove all – empty the list

Stats tab

On the left side: displays the versions of all components and database.

On the right side: displays statistics.

Items treated (locally / globally) – shows the number of items that the program has treated so far:

Locally – on local computer (current user account); this number is always available

Globally – on all computers that the program is protecting; this number is available only if MCS

Cloud functions are enabled

Number of installations (current version / 2.x)

Current version – number of installations of the program version that you have installed

2.x – total number of installations (for any version number beginning with 2)

Both of these numbers are available only if MCS Cloud functions are enabled.

About tab:

Provides information about developers and designers, link to the website, support e-mail, and the Credits

button.

Buttons on all tabs:

OK – saves the settings and closes the window

Apply – saves the settings

Cancel – discards any changes and closes the window

MCS Cloud

This feature is controlled using the “Enable MCS Cloud functions” option and may be disabled if so is desired.

If the option is enabled, the program will contact our server every time you open the Stats tab in the Control Center and

do the following:

receive the number of installations and treated items (and display the statistics)

send the number of items treated on your computer (just the number, nothing else!)

send a file containing MD5 hashes of files that were detected as suspicious during the previous scans (the file

contains only MD5 hashes, nothing else; note: no other file will ever be send to us!)

All these functions are meant to provide better user experience and to help us quickly react on any possible false

positives (or to alert us of new malware). Please, consider those facts before disabling these functions.

Note: your personal files or any other personally identifiable information is never send to us.

Your privacy if fully respected and guaranteed. If you have any concerns or need additional clarification regarding this

feature, please disable it, send us an e-mail and we’ll do our best to answer all your questions.

Other components and internet access

Besides Real-Time Monitor (MCShieldRTM.exe), Control Center (MCShieldCC.exe) and Drive Scanner

(MCShieldDS.exe), program uses some other files.

MCProcess.dll and MCDialogs.dll are dynamic link libraries used by the Drive Scanner (they provide several functions

internally used by the Scanner).

There are also several other files: language translations, the database, scan logs, uninstaller, temporary files used during

scans and update.

Components that may use your internet connection:

Control Center (MCShieldCC, when you perform manual update and when you open the Stats tab)

Real-Time Monitor (MCShieldRTM, when you perform manual update using the tray menu item and during

automatic updates)

How does MCShield function?

The explanation is based on default settings.

When the Real-Time Monitor runs, it starts the Drive Scanner and instructs it to perform an initial scan of all partitions

on all fixed drives (HDD) and removable drives (flash drives, memory cards...).

Floppy and optical drives shall never be scanned.

The program scans:

on fixed drives: root folder for the presence of known bad files and folders; certain specific common folders

(note: the program does not scan system folders: ”Documents and settings”, ”Program Files”, ”ProgramData”,

”Users”, ”Windows”; nor shall it ever delete anything residing in those folders);

on removable drives: : root folder for the presence of known bad files and folders; adaptive generic scan; various

generic / heuristic scans whose depth depends on level and type of infection on the drive; if necessary, the

program shall reset the attributes of files and folders modified by malware to enable easy access to those items.

Typical scan duration on fixed drives is 1 – 2 s / drive; in case of infection, it can take a few more seconds.

Typical scan duration on removable drives heavily depends on number of files on the drive and it takes more time if it’s

infected (adaptive scanning – drive that has been found to contain at least one malicious file or folder is going to be

scanned in more detail than the one that is clean). In most cases, the scan takes 2 – 3 s, but in case of infected drives

containing large number of files (5 000 – 10 000 or more) it can take a few minutes.

If no malware has been found on the scanned drives, a notification will appear (”The initial scan is finished”…) and the

program will start monitoring connections of new drives.

If malware has been found, a prompt asking whether to show the log file will appear (the log file will open automatically

in 5 seconds).

After the monitoring has started, the program will silently wait until a new drive is connected. When that happens, a

scan will be performed in a similar manner as already described earlier and an appropriate notification will appear

(describing that the drive is not infected or prompting about a log file if malware has been found).

Automatic removal mode

By default, MCShield automatically reacts on detected malware – it will move malicious files and folders to the

quarantine and rename the suspicious files (adding the ”.vir” extension to the file name).

Interactive removal mode

MCShield running in the interactive mode shall, for most actions and when appropriate/ possible, prompt the user

about actions to take on the detected items.

There are two possible series of prompts: early in the scan and at the very end, during the cleanup process.

The first prompt a user might get is related to detected autorun items. An example of malware being reported:

The type of detection (suspicious or malicious) and listing of detected items.

Yes – process these items as unwanted

No – do not process these items (ignore)

Automatic – switch to automatic removal mode

Details – open the window shown on the next picture

Autorun items are detected by heuristics and can be either suspicious or

malicious. The program lists the detected autorun.inf file and related

executables and folders.

The contents of detected autorun.inf (only first 300 bytes).

File properties and, if digital signature is available, the name of signer.

Possible actions that can be taken.

Clicking No (first picture) will give another prompt asking if you wish to add the file(s) to your white list.

After these autorun related prompts, the scan will continue. If user selected Yes or if other malware was detected during

the scan, the cleanup routine will start and several types of prompts may appear.

Number of items to process and the current position.

What was detected (file or folder) and how (signature, heuristics…).

The name of detected item.

Suggested action and possible choices.

An example of malicious folder (first prompt and Details view):

An example of a prompt that appears when a folder hidden by malware is found (first prompt and Details view):

All prompts a user might see follow the same design pattern and should be, for the most part, self-explanatory.

Important note regarding the interactive mode

Please, for the sake of your system’s security, be very careful when using interactive mode.

Do not, and we mean: DO NOT! ignore any detected file unless you’re 100% sure that it can be trusted.

Even if a file is digitally signed or VirusTotal search gives you a scan with 0% detection, be careful. Always have in mind

that even malware can be digitally signed and that MCShield is a heuristics oriented scanner which can detect new

malware that is still unknown to antivirus vendors.

In other words: use common sense and your own knowledge. If you don’t know for certain that a detected file is good,

don’t rely on other sources of information that tell you so. Instead, let MCShield take care of the file. If it proves to be a

false positive, you can always restore it from the quarantine or rename it back to it’s original name.

Scan logs

There are three scan logs which you can access using start menu, MCShield > Logs.

Last scan – the log containing information about the last scan.

All scans – the log containing information about all scans that have been performed.

Summary – the log containing the summary of all scans.

Examples of scan logs

A typical scan log (clean drive, the log is normally not shown):

6.2.2012 16:50:51 > Drive J: - scan started (no label ~15251 MB, FAT32 flash drive)...

=> The drive is clean.

Date, drive information and the result.

Another clean drive (contains legitimate software that uses autorun files):

26.2.2012 21:44:57 > Drive J: - scan started (no label ~15251 MB, FAT32 flash drive )...

>>> J:\autorun.inf > Legitimate file.

=> The drive is clean.

MCShield has determined that the autorun file is legitimate and ignored it (the log is not shown).

Infected drive:

25.2.2012 10:58:01 > Drive J: - scan started (no label ~15251 MB, FAT32 flash drive )...

>>> J:\autorun.inf > Suspicious > Renamed.

=> Suspicious files : 1/1 renamed.

____________________________________________

::::: Scan duration: 5s :::::::::::::::::::

____________________________________________

A suspicious autorun file was found and renamed to “autorun.inf.vir”.

Infected drive:

23.2.2012 23:31:49 > Drive J: - scan started (no label ~15251 MB, FAT32 flash drive )...

>>> J:\rar.exe - Malware > Deleted. (12.02.23. 23.32 rar.exe.349163; MD5: 8e3ab02406a24c50cc4626a1f8533cc1)

>>> J:\Password.txt.exe - Malware > Deleted. (12.02.23. 23.32 Password.txt.exe.735145; MD5: d2542afa881146780e584b9bfa3d0f92)

>>> J:\365345.exe - Malware > Deleted. (12.02.23. 23.32 365345.exe.108358; MD5: fa8fee025d2f4c820c4b56792747cfad)

>>> J:\auto.exe - Malware > Deleted. (12.02.23. 23.32 auto.exe.890850; MD5: 4cd0bc16a987fa28a4f7d77581a42094)

>>> J:\februar.exe - Malware > Deleted. (12.02.23. 23.32 februar.exe.423332; MD5: 9a4cb98706ebbf5314e907d7ad927fd1)

>>> J:\x.exe - Malware > Deleted. (12.02.23. 23.32 x.exe.600748; MD5: a584f275a6929bc7980c513b04b2d33c)

=> Malicious files : 6/6 deleted.

____________________________________________

::::: Scan duration: 8s :::::::::::::::::::

____________________________________________

The drive was quite infected – six files were quarantined and deleted. The names of the files in the quarantine can be

read from the scan log:

>>> J:\x.exe - Malware > Deleted. (12.02.23. 23.32 x.exe.600748; MD5: a584f275a6929bc7980c513b04b2d33c)

This file’s name is: 12.02.23. 23.32 x.exe.600748 (year.month.day time original file name .unique identifier).

Frequently asked questions

Q: Do I need to pay anything to use MCShield?

A: No, the program is licensed as freeware.

Q: Is MCShield compatible with my antivirus?

A: Yes. The program was designed to work alongside your antivirus and there should be no compatibility issues.

Q: Do I need to configure MCShield in some special way for it to work properly?

A: No, you don’t. The default settings are just fine.

Q: Do I need to configure my antivirus in some way for MCShield to work properly?

A: Normally no, but to get the highest scan speed and to minimize the chances of your antivirus interfering with MCShield, it’s advised to add the

following folders to your antivirus’ exclusion list:

C:\Program Files\MCShield (or any other folder where MCShield is installed)

C:\Documents and Settings\All Users\Application Data\MCShield (for Windows XP)

C:\ProgramData\MCShield (for Windows Vista / 7/ 8)

If your other security software has some sort of HIPS module, all components of MCShield should be added to the Trusted zone (or similar).

Q: MCShield renamed a file – what do I do now?

A: First of all, be careful. The file was renamed because it was suspicious and you should make sure that the file is not malicious in case you decide

to use it anyway. You can upload the file to Virus Total: https://www.virustotal.com/ to see if it’s detected by other antivirus programs (or, send

the file to us so we can analyze it).

Q: MCShield renamed/deleted a file – I think the file is legitimate. What do I need to do?

A: If you’re sure that the file is legitimate, rename it back to it’s original name by removing the “.vir” extension (or restore it from quarantine), add

it to the white list and than send the file (or at least the scan log) to us so we can analyze it and prevent the false detection to occur in the future

scans.

Q: How do I report a malicious file that MCShield did not detect (properly)?

A: Pack the file in an archive (put a password on it and encrypt the file names) and send it to us.

Q: Is MCShield compatible with Panda USB Vaccine? Do I need both programs?

A: Yes, MCShield and USB Vaccine are compatible. USB Vaccine prevents (or at least makes it a bit more complicated) creation of autorun.inf files of

any kind (malicious or legitimate) and by doing that provides a certain degree of protection on legacy operating systems. On the other hand,

MCShield is an anti-malware program capable of detecting and removing not only autorun based worms but also all other non-viral malware

transmitted via removable drives regardless of attack method being used.

Q: Can MCShield detect and disinfect viruses?

A: Some viruses use worm-like techniques to spread to other computers. In those cases, MCShield shall treat the (virus) droppers as worms and

delete them. In case your legitimate programs residing on the flash drive have been infected with a virus (file infector), you need to use an antivirus

to disinfect those files.

Q: My antivirus just reported one of MCShield’s components as malware – what’s this all about?

A: Unfortunately, antivirus programs sometimes make mistakes and recognize legitimate applications as malware – this is called a false positive and

you’ve just witnessed one. As soon as we are informed that some antivirus falsely detects MCShield, we send false positive reports to the vendor in

question. This is usually fixed in a few hours, but sometimes it can take a lot longer. To be able to use the program while the false detection is still

present, you’ll need to add the detected file to the antivirus’ exclusion list.

To speed things up, you can also report the false positive to the company that made the antivirus you’re using. In many cases, the AV program has

an option to report a false positive that you can use. If you’re unable to report the false positive, we would appreciate if you would let us know of

this false detection so we can report it to the vendor.

Q: I already use an antivirus program. Do I need MCShield?

A: Unfortunately, an application that can provide 100% protection against malware doesn’t exist. If you connect flash drives (USB pen drives,

memory cards, cameras, mobile phones, GPS devices etc.) to your computer, the risk for infection increases and getting some help to your antivirus

is a good idea. Most of MCShield’s detections are based on generic routines (heuristics) making the program capable of detecting even new worms

and in that way filling the time gap between when a new malware is released and a signature for it is added to your AV’s database.

Q: Can MCShield provide 100% detection of worms that spread via removable drives?

A: No. We strongly believe that a program capable to detect everything does not exist.

Q: My computer is never connected to the internet and only possible source of infection is a flash drive. I have no antivirus, only MCShield. Is that

enough to provide good protection?

A: We are aware that some people use only MCShield on their offline computers. We believe this makes the computer quite protected against

worms, but an antivirus is still strongly recommended; there could be a legitimate program on the flash drive infected with a file infector or some

setup file repacked with a Trojan – MCShield is not designed to detect that kind of malware.

Q: Do I need administrative privileges on the computer to install MCShield?

A: Yes, you do. The program installs for all users so you must be an administrator or be able to provide administrator credentials to install the

program (you can start the installation even from a limited account – just double click the setup file).

Q: Does MCShield work on limited user accounts?

A: Yes, it does.

Q: I installed MCShield on administrator account. When I log on to my other accounts, the program is not running. What’s wrong?

A: Basically, nothing. The program installs for all users, but the settings are per user. After you install the program and log on to some other

account, start Real-Time Drive Monitor and Control Center and select the desired settings (this is only necessary once per user account).

Q: Whenever I connect my flash drive, MCShield detects the same malware. Why is this happening?

A: It is possible that you PC is already infected so the drive gets reinfected after MCShield cleans it. Please, run a scan with your antivirus.

If that doesn’t help, you can ask for help on a malware removal forum

http://www.mycity.rs/?part=1 (Serbian / Croatian language)

Forums in English and other languages that provide help in malware removal:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix#forums

Please note that the free help on these forums is provided by trained, dedicated volunteers: show patience when waiting for help, follow their

instructions and don’t forget to say “thanks” – they deserve it.

Q: Damn, this program sucks!

A: We are really sorry you think so, but we appreciate the feedback. Could you send us an email and tell us what’s wrong?

Q: OMG, this program is great! Can I help in some way?

A:

Do you speak a language that is currently not supported by MCShield and would like to help us with translation? Is so, let us know and we’ll give

you the instructions on how to proceed with the translation.

Q: I have a question not answered here. Where can I ask?

A: If you have any other questions or comments, send us an email (available on the About tab and our website).

You’re also welcome to register on our forums (although the forum is in Serbian, feel free to open a new topic in English language):

http://www.mycity.rs/MyCity-Laboratorija/

You can register / log in with your Facebook account or using this page: http://www.mycity.rs/profile.php?mode=register