Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA
2 edits | Which AV best for Real-time protection against USB drives?
I have just finished removing a total of 29 viruses/trojans from a friends laptop, its taken me about 4 hours to do that.
The laptop is completely clean for now.
I have run a boot scan using Avast.(found 21 trojans)
Then Webroot Spywsweeper (found only 'spy cookies'  )
Then Ad Aware (found nothing)
Then Avira (found 9 trojans)
Then ran Malwarebytes antimalware, and a few assorted programs.
In the HJT log i noticed that 1 virus still remained, called sdra64.exe.
Neither Avast, nor AVG, nor Avira could remove it.
finally, using the solution below, i was able to kill it.
»mrmusicmaker.blogspot.com/2009/0···for.html
All this infections were the direct result of using infected USB drives.
The thing that worries me is that i had advised him to install USB Disk Security'
»www.zbshareware.com/
which creates an AUTORUN.INF folder on all your drives, including your USB drive.
I dont know if one of the trojans actually deleted this folder, and then installed its own malicious autorun.inf folder. 
I didn't know they could do that! (if that is what happened)
Another thing is that the original AUTORUN.INF folders still were present in the C, D and E drives, so they weren't deleted.
I wonder how the one in the USB stick got deleted.
Anyway, one of the interesting things was that the virus would make a .exe using the same name as the parent folder!
So, if i have a folder named 'Stuff', then in this folder would be another folder named Stuff.exe.
Anyway, its all removed now, everything is clean.
I checked and double checked.
So, my question is, specifically for immediate real-time detection of autorun viruses in USB, which antivirus application is the best?
(Im asking because i myself dont use any antivirus software on my home computers. i practice safe hex which is why i never get infected, but thats another story.) |
|
mysec
Premium
join:2005-11-29
1 edit | A trojan is a trojan, and if an AV is going to catch it, it doesn't matter whether the trojan tries to sneak in from the Web, or via USB.
Having said that, bullet-proof protection against intrusion of any executable file not already installed is available from any number of products with execution prevention.
USB exploit from 2008:
This saves having to fiddle with all sorts of autorun.inf tricks.
----
rich |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA
1 edit | reply to Shriyash
thanks mysec, but what would you recommend?
(I dont thing Anti-Executable or DeepFreeze is an option)
His laptop is the office laptop,
and the IT team there has installed Norton Antivirus on the machine. Its updated, but clearly, its totally useless!
Where was it, what was it doing when the laptop was being infected? 
(And you cant even uninstall it,
because it is protected with a password.)
Anway, i can tell my friend to ask the IT guys to remove Norton from his machine, but what do i install in its place? |
|
mysec
Premium
join:2005-11-29
| Well, you've got a big problem. Most IT guys I've heard about are mired in outmoded concepts of computer security, with AV about the limit of their knowledge and experience. I assume your friend's IT guys fit into this category, or there would have been no infections.
However, if you are brave and want to suggest something, here is a test I conducted last year with help from Wilders members using different products. The test uses a web-based remote code execution exploit, but the principle applies to anything that triggers an executable to run, including autorun.inf.
»www.urs2.net/rsj/computing/tests/remote
Good success to you in your endeavors!
----
rich |
|
HA Nut
Premium
join:2004-05-13
USA
| reply to Shriyash
I have used the autorun.inf folder protection on my flash drives and it has worked for me (and I did have an active infection try to spread via my flash drive.) But if the malware is written well enough, I imagine that it's possible that it could be deleted???
An alternative would be to use Panda's USB Vaccination app. It is worthwhile for protection if either the PC or flash drives themselves. The flash drive vaccination writes a dummy, inaccessible autorun.inf file at the root folder of the flash drive and it cannot be deleted by any standard means I've tried. (AFAIK, the flash drive protection can only be removed by formatting the flash drive. (The PC vaccination is reversable.) You might want to take a look at it...
»research.pandasecurity.com/archi···ine.aspx
One thing to keep in mind is that using either of these 2 methods won't prevent the USB drive from having the bad EXE file written to it. What the fake autorun.inf does is to help prevent the spread of the bad EXE by not automatically running it upon USB drive insertion. |
|
mysec
Premium
join:2005-11-29
| reply to Shriyash
said by Shriyash  :(I dont thing Anti-Executable or DeepFreeze is an option)
In that case, can the IT people set a Group Policy to disable USB?
Or use that Nick Brown Registry tweak to completely disable autorun on the system.
BTW - How did you determine that all of the infections were via USB?
----
rich |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA
1 edit | reply to mysec
said by mysec :Well, you've got a big problem. Most IT guys I've heard about are mired in outmoded concepts of computer security, with AV about the limit of their knowledge and experience. I assume your friend's IT guys fit into this category, or there would have been no infections. Oh their attitude to infections is so lax,its frightening.
Its is a medium-sized company,
it probably has 60+ computers at his branch alone.
And because of the prevalence of USB sticks, everybody likes to keep them handy and even computers that are offline aren't spared from infection.
I remember my friend saying that he has been trying to get the IT guys for a week to clean the laptop, and when they finally get to it,all they do is backup data and reformat the machine!
Edit: i think they have an imaging solution which they apparently love. |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA
| reply to mysec
said by mysec :said by Shriyash :(I dont thing Anti-Executable or DeepFreeze is an option) In that case, can the IT people set a Group Policy to disable USB? Or use that Nick Brown Registry tweak to completely disable autorun on the system. BTW - How did you determine that all of the infections were via USB? ---- rich Well their move to disable the USB was very unpopular with the rest of the staff,lol.
So it was quickly reversed.
Yep, i've added the noautorun.inf .reg file into the registry.
How did i determine that they were from USB?
Well there are severe restrictions to internet access, only a set number of work-related websites are accessible....plus all one has to do is get an infected USB stick from home, and use it in the office, and bam, you local network now has the virus.
(the sdra64.exe disables the windows firewall) |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA
1 edit | reply to HA Nut
said by HA Nut :I have used the autorun.inf folder protection on my flash drives and it has worked for me (and I did have an active infection try to spread via my flash drive.) But if the malware is written well enough, I imagine that it's possible that it could be deleted??? An alternative would be to use Panda's USB Vaccination app. It is worthwhile for protection if either the PC or flash drives themselves. The flash drive vaccination writes a dummy, inaccessible autorun.inf file at the root folder of the flash drive and it cannot be deleted by any standard means I've tried. (AFAIK, the flash drive protection can only be removed by formatting the flash drive. (The PC vaccination is reversable.) You might want to take a look at it... » research.pandasecurity.com/archi···ine.aspxOne thing to keep in mind is that using either of these 2 methods won't prevent the USB drive from having the bad EXE file written to it. What the fake autorun.inf does is to help prevent the spread of the bad EXE by not automatically running it upon USB drive insertion. great post HA Nut, thanks!!
I never knew about this free tool from Panda Security, i will install it asap.
Edit: well it tells me that im already vaccinated.
Of course thats because the USB Disk Security application already has created an Autorun.INF folder in all the drives.
I tried to delete the folder, just to see if i could.
I cant!! 
 |
|
mysec
Premium
join:2005-11-29
1 edit | reply to Shriyash
I would also like to have a look at that!
----
rich |
|
ashrc4
join:2009-02-06
australia
| reply to Shriyash
hips......or maybe you missed this one |
|
Millenniumle
join:2007-11-11
Fredonia, NY
| reply to Shriyash
For Windows XP:
Copy and paste into Wordpad. Save as "disable.reg"
Double click file and click "ok" to merge with registry when prompted. Reboot computer for change to take effect.
Fear USB no more! |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA | i've already added Nick Browns .reg file to disable autorun.
Im looking for suggestions on the best real-time scanner in the AV market today. |
|
