USB MALWARE DETECTION

AND PREVENTION USING

YARA AND CLAM AV

GUIDED BY : Submitted by
ARYA A R Aakash Kumar Bhagat RIE22CC001
ASSISTANT PROFESSOR Adhid Mohamed Safeer RIE22CC007
CSE DEPT, RIET Adithyan S RIE22CC009
Anagha Sabu RIE22CC018
TABLE OF CONTENTS

01 ABSTRACT

02 INTRODUCTION
03 LITERATURE SURVEY
04 EXISTING SYSTEM
05 PROBLEM STATEMENT
06 PROPOSED SYSTEM
07 CONCLUSION
08 FUTURE SCOPE
09 REFERENCES
ABSTRACT
ABSTRACT

Malware and ransomware spread through USB drives pose serious risks to digital
systems. A portable malware detection and prevention system has been developed
using the Raspberry Pi platform to scan USB drives automatically before they are
accessed. It features a graphical interface and combines ClamAV’s signature-based
detection with YARA’s string-based rules, using the Aho-Corasick algorithm for fast
pattern matching. The system works offline to prevent network-based threats and
includes quarantine, deletion, and real-time signature updates. Testing confirms high
accuracy, efficiency, and reliability across different USB brands and storage sizes. Its
lightweight, cost-effective, and scalable design makes it suitable for personal,
organizational, and government use, including air-gapped and low-resource
environments. Custom YARA rules allow ongoing adaptation to new threats.
INTRODUCTION
 INTRODUCTION

 The increasing sophistication and frequency of cyberattacks have made

malware and ransomware serious global security concerns, with USB drives
emerging as one of the most exploited attack vectors. These portable devices
are widely used for data transfer, but their ability to connect directly to
systems without passing through network defenses allows them to bypass
traditional security measures with ease.

 USB-based attacks can have severe consequences, including data theft, file
encryption for ransom, operational disruption, and long-term system
compromise. Since these devices can carry malicious payloads into even air-
gapped or offline systems, they represent a threat that is not easily mitigated
by conventional, network-dependent security solutions.
 INTRODUCTION
 This research proposes an embedded malware detection system on
Raspberry Pi that combines ClamAV for signature-based scanning with
YARA rules and the Aho–Corasick algorithm for efficient pattern
matching. By scanning USB drives before host access, it ensures early
threat interception.
 The solution is scalable, offline-capable, and lightweight, making it
suitable for diverse environments. Its support for custom YARA rules
ensures adaptability to new threats, while a graphical interface provides
ease of use for all users.
LITERATURE SURVEY
LITERATURE SURVEY

Name and Methodology Merits Demerits Proposed

author of paper used system benefits
R. Sihwail et al., A Comparative study Covers broad No specific Our system
Survey on of static, dynamic, malware analysis hardware-based provides real-time
Malware Analysis hybrid, and methods; prevention; detection on USB
Techniques (2024) memory analysis highlights mainly analysis- devices before
techniques. strengths and focused. infection.
weaknesses.
M. P. Gounder & Explored novel Introduces Lacks Portable,
M. Farik, New prevention and multiple malware implementation standalone
Ways to Fight detection prevention on embedded or malware scanner
Malware (2023) techniques using strategies. portable usable without
existing security platforms. internet
frameworks. connection.
LITERATURE SURVEY

Name and Methodology Merits Demerits Proposed

author of paper used system benefits
A. Souri & R. Machine learning Can detect Requires large Our system works
Hosseini, Malware and data mining unknown malware training datasets offline using
Detection using for malware patterns; and high ClamAV
Data Mining classification. adaptable to computational signatures,
(2024) evolving threats. resources. reducing
processing needs.
M. R. Yaswinski et Overview of Demonstrates Limited to OS- Our system
al., Linux Security: Linux security ClamAV’s level protection; embeds ClamAV in
A Survey (2023) measures, flexibility and no dedicated a Raspberry Pi for
including configurable USB scanning dedicated USB
ClamAV scanning options. mechanism. scanning.
antivirus usage.
LITERATURE SURVEY

Name and Methodology Merits Demerits Proposed

author of paper used system benefits
G. Raffa, Testing Performance Found ClamAV Even best AV Our system uses
Antivirus in Linux evaluation of 4 to have the missed 896 ClamAV with easy
(2021) antivirus highest samples; update feature via
solutions on detection rate depends on GUI, ensuring
43,553 malicious (97.9%). signature latest signatures.
ELF files. updates.
EXISTING SYSTEM
 EXISTING SYSTEM

 A portable malware scanner is built using Raspberry Pi.

 Existing systems rely heavily on signature-based detection
databases, which need regular online updates.
 Supports offline operation by using the locally stored ClamAV
signature database.
 System development follows the Waterfall model for structured
implementation.
 The system is validated through unit testing, integration testing and
user acceptance testing.
 EXISTING SYSTEM DISADVANTAGES

Offline Dependence No Behavior Detection Usability Challenges

Existing systems require
Reliance on signature-matching Antivirus tools often have
constant online updates for
fails to detect new or unknown complex interfaces, making
signature databases, limiting
malware that exhibit suspicious quick USB scanning
their effectiveness in offline
activity patterns. difficult for average users.”
or air-gapped environments.
PROBLEM STATEMENT
 PROBLEM STATEMENT

Current malware detection solutions are limited by their dependence on

signature-based databases that require constant online updates. USB drives
are typically scanned only after being connected to the host system, creating
a high risk of immediate infection. These approaches also lack portability,
depend on internet availability, and often fail to detect new or unknown
malware, making them unsuitable for secure or offline environments.
PROPOSED SYSTEM
 PROPOSED SYSTEM
 Hardware-based solution – Uses Raspberry Pi as a dedicated device for
scanning USB drives, ensuring isolation from the main system.
 Dual detection engines – Integrates ClamAV for signature-based scanning
and YARA rules for behavior and pattern-based detection.
 Prevention-first approach – Scans USB drives before they connect to user
systems, reducing infection risk.
 Offline capability – Works without continuous internet connectivity, making
it suitable for air-gapped and secure environments.
 User-friendly GUI – Provides a simple interface to scan, view results,
quarantine, or delete malicious files.
 Portable and secure – Can be easily carried and deployed to check multiple
USB drives in field or organizational use.
SYSTEM REQUIREMENTS
HARDWARE REQUIREMENTS

Component Minimum Requirement

Quad-core ARM Cortex-A72 (Raspberry
Processor
Pi 4) or equivalent
2 GB (4 GB recommended for smoother
RAM
performance)
16 GB MicroSD card (32 GB
Storage
recommended)
Minimum 2 USB ports for scanning
USB Ports
external drives
Platform Raspberry Pi 4 Model B (or higher)
HDMI display/monitor, keyboard, and
Display & Input
mouse (for GUI access)
 SOFTWARE REQUIREMENTS
Operating System
 Raspberry Pi OS (Linux-based, 64-bit recommended)
Programming Languages
 Python 3
Tools / Libraries / Frameworks
 ClamAV (signature-based malware detection engine)
 YARA (rule-based malware detection engine)
 Aho–Corasick string matching algorithm implementation
 Python Libraries:
 tkinter / PyQt (GUI support)
 pyclamd
 yara-python
APPLICATIONS

 OS-Independent Threat Detection: Hardware-based solutions can

monitor and analyze USB traffic independently of the host
operating system. This makes them resilient against malware that
may try to subvert software-based security measures.
 Insider Threat Mitigation: By capturing all USB communications
at the hardware level, organizations can detect and block
unauthorized data transfers and hidden command injections,
protecting sensitive systems from “bad USB” or rogue device
attacks.
 APPLICATIONS
 Zero-Trust for Unknown Devices: Any unfamiliar or untrusted USB device
can be prevented from communicating with the host system until its behavior
has been analyzed and explicitly approved.
 Forensic and Audit Capability: Hardware logging enables the capture and
storage of all USB interactions for later incident analysis, supporting
compliance and security investigations.
 Critical Infrastructure Protection: Especially useful in industrial,
healthcare, and mission-critical environments where network access is
limited and USB drives are often the main method of data transfer.
CONCLUSION
CONCLUSION

 The proposed USB malware detection and prevention system

effectively addresses the risks posed by infected portable devices.
 By integrating ClamAV (signature-based) and YARA rules
(pattern-based), it ensures both accuracy and adaptability against
evolving threats.
 The use of Raspberry Pi as a dedicated hardware platform
enhances security, portability, and isolation from the host system.
 CONCLUSION

 Offline capability makes it suitable for air-gapped, resource-

limited, and high-security environments.
 Research confirms high efficiency, reliability, and scalability,
proving its suitability for personal, organizational, and
governmental deployment.
 Overall, the system provides a cost-effective, lightweight, and
proactive solution for early threat interception through USB drives.
FUTURE SCOPE
 FUTURE SCOPE
 AI/ML-Powered Malware Detection:
Future versions of the system can integrate machine learning models to detect
unknown or zero-day threats by analyzing file behaviors and anomaly patterns,
improving resilience against evolving malware.
 Cross-Platform Media Support:
The solution can be extended to scan not only USB drives but also other portable
storage devices such as SD cards, external hard drives, and smartphones, enhancing
versatility and deployment scope.
 Advanced Visualization Dashboard:
A web-based or mobile-friendly dashboard can be developed to provide real-time
reports, scan histories, alerts, and system health insights, thereby improving
usability and situational awareness.
 FUTURE SCOPE
 Automated Incident Response:
The system can evolve from detection to prevention by adding features like
automated quarantine, system rollback, or alert notifications to
administrators, ensuring faster and proactive responses.
 Integration with Enterprise Security Frameworks:
By enabling integration with Security Information and Event Management
(SIEM) tools, the solution can provide centralized monitoring, incident
correlation, and intelligence sharing across enterprise networks.
REFERENCES
REFERENCES

 Agus Reza A. Nurwa, Muhammad Hasbi, Dimas F. Priambodo, Wawan L. Y.

Saptomo, Daffa A. P. Yusa, and Setiyowati Z. Zaini, “Portable Malware
Scanner Based on Embedded Devices,” Proc. ISITIA, IEEE, 2023. doi:
10.1109/ISITIA59021.2023.10220984.
 Md Nahidul Alam, Priyanshu Agrawal, Abishek Singh, Preeti Dubey, Mayuri
Kumari, and Avinash Kumar, “Detection and Prevention of Malware and
Ransomware Threats Using Malicious String Analysis,” Proc. ICSEIET,
IEEE, 2023. doi: 10.1109/ICSEIET58677.2023.10303501.
 ClamAV®, “Clam AntiVirus,” Cisco/Talos, 2023. Available:
https://www.clamav.net.
 REFERENCES

 Dominika Regeciova et al., “Pattern Matching in YARA: Improved Aho-

Corasick Algorithm,” IEEE Access, vol. 9, pp. 62857–62866, 2021. doi:
10.1109/ACCESS.2021.3074801.
 M. Tischer, Z. Durumeric, E. Bursztein, and M. Bailey, “The Danger of
USB Drives,” IEEE Security & Privacy, vol. 15, no. 2, pp. 62–69, 2017.
 Raspberry Pi Foundation, “Raspberry Pi Documentation,” 2023.
Available: https://www.raspberrypi.org/documentation
 ANY
QUESTIONS?