USB - Bypass Antivirus scanner
In the world of penetration testing, we often rely on various tools and scripts, stored on removable drives, to perform our tasks effectively. However, a frequent obstacle many pentesters face is the automatic deletion of files due to antivirus software or endpoint security measures. These tools, designed to protect systems, often mistakenly identify essential penetration testing files as malicious and delete them from USB drives or other media.
To counter this challenge, I devised a method to create immutable files on USB (or at least file, which won't be deleted by security products). By making these files resistant to deletion, even by antivirus systems, I’ve managed to secure my tools and ensure they remain accessible throughout the testing process. This blog will walk through the rationale, setup, and practical tips on creating such immutable files, ensuring that your essential resources remain intact when they’re needed most.
Possible Solutions
We have several options to accomplish this:
- Create a read-only USB on using
diskpartutility on Windows. - "Burn" the ISO image to the flash drive.
- Place the tools in a ZIP file.
Create a read-only USB on using diskpart utility on Windows
Start
diskpartin Windows from the Command Prompt (CMD):diskpartList all connected drives:
list diskSelect the driver/disk:
select disk X- replaceXwith0or1Set the read-only attribute:
attributes disk set readonlyVerify the configuration:
attributes disk
NOTE: With this solution, the user will be unable to delete files from the flash drive on Windows and macOS. However, on Linux, file editing is still possible. Additionally, antivirus software may still delete files from this flash drive and bypass this restriction.
"Burn" the ISO image to the flash drive
- Create a folder containing the files you want to write to the flash drive
- Create an ISO image using the command:
genisoimage -o my_image.iso -V "LABEL" -r -J -iso-level 3 -udf my_folder
Explanation of the options:
-o my_image.iso: Specifies the output ISO file.-V "LABEL": Sets a volume label for the ISO.-r: Enables Rock Ridge extensions (for Unix compatibility).-J: Enables Joliet extensions (for Windows compatibility).-iso-level 3: Allows for file names longer than 8.3 format, making it more flexible.-udf: Adds UDF (Universal Disk Format) for better compatibility with modern Windows systems.
List all drivers and identify the correct one:
lsblk"Burn" to the flash drive:
sudo dd if=my_image.iso of=/dev/sdX bs=4M status=progressSync and eject the drive
sync
sudo eject /dev/sdX
NOTE: I was unable to open this drive on Windows. Since it's a USB, the system is attempting to read it as a DVD. One possible workaround is to upload the ISO image to the flash drive (formatted as
NTFS, for example) and then mount the ISO from the flash drive.
Place the tools in a ZIP file
Antivirus solutions sometimes don't scan inside ZIP files automatically to save system resources and speed up performance. Scanning every compressed file can be time-consuming, and ZIP files might contain large amounts of data that could slow down the process.
Another reason is that many ZIP files are password-protected or encrypted, making it difficult for antivirus software to access their contents without the correct password. Some antivirus solutions will only scan ZIP files if they’re extracted or actively opened by the user, while others may require specific configuration to include archived files in regular scans.
By placing the pentesting tools inside a ZIP archive, with or without a password, you can prevent antivirus software from deleting these tools from your flash drive.
NOTE: Anyone can edit the contents of the flash drive, but antivirus software will not delete the files.
Summary
Each solution addresses different priorities:
- Solution 1 (Read-only USB) is ideal for high security and fixed, uneditable content but may be bypassed by advanced users.
- Solution 2 (ISO image) is best suited for distributing complex toolsets in an exact state, though it limits the USB’s future flexibility.
- Solution 3 (ZIP file) offers the most flexibility and is easy to distribute, though it provides minimal protection from modification and antivirus interference.
| 1. Create a Read-Only USB Using the diskpart Utility on Windows | 2. "Burn" the ISO Image to the Flash Drive | 3. Place the Tools in a ZIP File | |
|---|---|---|---|
| Pros | Prevents accidental file deletion or modification on the USB, making it secure for distributing unchangeable content. Compatible with Windows systems, and the read-only status remains in place across most operating systems. |
Simplifies distribution of large, complex toolsets or software in a structured, unmodifiable format. Maintains file integrity, as the ISO format keeps everything in an exact state, similar to a read-only setup. |
Simple and flexible, allowing users to access and extract tools as needed. Antivirus software may overlook ZIP archives, reducing the risk of automatic deletion of certain files. |
| Cons | Users with advanced knowledge may bypass this protection on some systems. Can by bypassed by Anti-Virus solutions. |
Once "burned," the drive is not easily modifiable or reusable without reformatting. Users without ISO management experience may find it challenging to use or modify the contents. Windows cannot read the content of flash drive. |
Does not prevent modification or deletion after extraction, so users could still alter or remove files. May provide limited security, as some antivirus software may still scan and flag contents, especially if the ZIP is not password-protected. |
Enjoy!