This article by “Icarus Cyber Labs” Explains the technical working of their newly created USB Malware Scanner.
The core aspect of the malware scanner is a python script that continuously polls for USB devices. The polling is done by continuously checking the output of the “blkid” command in Linux. This can also be accomplished by using the python bindings for udev. This script is set to start once the Pi has booted up. The only dependency required would be simplejson for exchanging JSON data with servers. Once a device is detected, the script proceeds to hash the contents of the device. This is done using the python hashlib library. Once the MD5 hashes are obtained, they are sent to an offsite server for processing. Instead of sending to a server, the Pi is also capable of utilizing inbuilt antivirus solutions such as clamAV. This can be done using the pyclamav module. In cases where multiple antivirus solutions are used the script then checks for a positive reply from any of the providers. In its default configuration if one AV provider’s reply is positive the overall test result is considered positive. Similarly if only an internal antivirus solution is used and the reply is positive the test result is considered positive. It is to be noted that each file is hashed and compared separately. During the scanning of the files, whenever a file is considered to be infected by the AV the GPIO pin connected to the LED gets pulled to high. This is reset whenever the scanning of that file is complete. Therefore the LED will light up only if the file is infected and gets reset before scanning the next file. The most unique aspect of the device is that it can be configured to a very large degree. For example, the server that does the checking can be changed as well as the tolerance for false positives can be adjusted.
In the end you have a device that is highly portable and which would play an important role in perimeter security. “Sheep dips” such as these are not preferred usually because of their extra power utilization as well as space usage. Using the RPi solves both of these problems.
The back end detecting can be integrated to custom APi which works with various engines at back end or we could use virustotal API , virusjotti or elementscanner for detection.