efficient usb Virus Prevention, using Software Restriction Policies

When I applied to protect my usb using Panda's usb vaccine,I saw a file named autorun.inf created by panda in root folder.

When I noticed my usb was infected by the other computer,I saw two files named "autorun.inf_" and some ".exe" files which Avira told me as viruses in its root folder. By default,I can see all hidden files including system files due to my folder policy settings.Btw,the two files are not completely the same. They are "autorun.inf_" and "AUTORUN.INF_".

I was in a hurry so I deleted all those viruses as soon as possible without looking into the problem. "AUTORUN.INF_" wouldn't allow me to delete it at first but I finally got rid of it. I can't remember everything clearly but that's generally what happened so far.

 

Interesting...

Not sure what the autorun.inf_ files were but they should not have been an issue. My limited tests with the Panda created autorun.inf file has indicated that formating the drive is the only way to get rid of it. So if you were able to get rid of all files called autorun.inf or autorun.inf_ without formating, it sounds like the Panda immunization failed to work properly. Of course, this is all speculation on my part too...

(BTW... I didn't reread this thread but even if the Panda file was properly created, it does not prevent a USB stick from becoming infected with bad EXE files. What the immunization does is prevent it from spreading to new PCs via the autorun method.)

 

Panda USBVaccine basically creates a special AUTORUN.INF file which cannot be opened/modified/deleted from within Windows (there are some other ways to get rid of it). It doesn't prevent any infected executable files to be copied onto the drive. All it does is prevent them from running automatically when inserted into a PC.

If you PC is already infected with an Autorun-type trojan, it will try to infect your USB stick. If this USB stick is previously vaccinated with Panda, the trojan may still copy itself to the USB drive (.exe) and try to create an autorun.inf file. As it cannot create the autorun.inf, it created "autorun.inf_". However this "autorun.inf_" will not be executed by any PC you insert this into, as the vaccinated "autorun.inf" already exists in the USB stick.

Not sure if I explained this correctly or made it worse, but basically:
a- your other PC is infected
b- your vaccinated USB is not auto-executing the infected EXE (even though it can still host the infected EXE, this is why your Avira saw it there).

 

Does a limited user account prevent an USB virus infection? I think Tweak UI should also be ok to disable autorun ..

 

Rmus seems to have the best answers on this topic, but tweakUI seems to only prevent some autoruns. You might look at this thread for more in-depth ideas on autorun prevention
https://www.wilderssecurity.com/showthread.php?t=240474

Sul.

 

I'm no authority either but while TweakUI can prevent the majority of Autorun issues, it apparently can't block all of them. As Sully notes (and at other forums), this has been proven through various tests.

Limited User accounts have a good deal smaller attack window/vector/what have you but there are still ways the PC can be compromised. So, a limited account is still not the same as running in a locked sandbox.

What I like about the Panda method is that it seems to be helpful in making a blocking method that is easier to use than what we've had before.

 

It depends on what you mean by "infection." Sully, Lucy and MrBrian have all noted that malware can do things in a LUA without elevating privileges or writing to system directories. Such as manipulating/stealing data.

However, all of the USB exploits I've seen analyzed install a full-blown working trojan that writes to system areas of the disk, and would probably be stopped at some point in an LUA.

Nonetheless, just the thought that something could move from my USB drive to the HD w/o my permission makes me nervous, so I look for a preventative measure at the gate.

As Sul points out, unfortunately TweakUI for XP did not prove reliable in a couple of situations as reported by users. It was never determined why, but it's obvious that so many actions go on in the background when programs or updates are installed that some modification prevented TweakUI from being reliable in all cases, so I no longer make a blanket recommendation for it.

However, if TweakUI proves to stop autorun.inf on your system, then I would feel safe. You need to do careful tests. Using an installation CD where autorun.inf launches the setup.exe file is a good test. Also, I would re-test after installing any updates just to make sure something hasn't changed that would interfere with what TweakUI does.

The most bullet-proof tweak -- so far not bypassed -- is the so-called @="@SYS: DoesNotExist" Registry fix described here:

http://nick.brown.free.fr/blog/2007/10/memory-stick-worms

The downside is that all Autorun/Autoplay is effectively crippled, which many people don't like. People like Autoplay on their CDs -- for example to start a slide show of pictures sent by a friend or relative.

Some suggest keeping Registry files on the desktop to toggle that tweak: to disable autorun when viewing someone else's removable media, and enable for other times.

This would also be good protection when viewing someone else's camera card, or digital picture frame - both of which are USB devices.

Back in Win95 days when I started computing, we were taught the dangers of Autorun on removable media. Especially in education institutions where faculty came into contact with students' floppy disks on a regular basis.

Our solution was rather simple: If you hold down the left SHIFT key as you insert the disk, Autorun.inf is supressed. Then, look at the disk's contents in Windows Explorer (2-pane view of My Computer) - nothing can execute.

In years of seeing hundreds of floppy disks and later, USB flash drives, I never saw an autorun.inf file on another's disk/drive.

Today with USB flash drives, only the U3 Smart drive type can execute an autorun.inf file. My advice has been to avoid that type if all you are using the flash drive for is transporting data and pictures. If your drive becomes infected while copying files from another computer, nothing will execute when it is plugged into your computer, and checking the drive's contents will reveal an autorun.inf and accompanying malware executable (note the hidden files - be sure your system is configured to show all files):

​

And in the case of Conficker, the presence of a Recycler folder:

​

These shouldn't be there, of course, so you can easily delete then and then inform your friend that her/his computer is infected with a USB virus!

This method can also be used when viewing another's camera card or digital picture frame. I've observed in some hijack forums where a USB exploit was discovered, that the user had the AV up to date, so these so-called 0-day exploits make AV not 100% reliable.

Another method: I know several people who have a firm policy: No USB media but their own can be used on their computer.

Finally, since all known exploits in the wild attempt to install a trojan executable, some protection to prevent the running of unauthorized executables would seem to be in order as a final barrier.

This is more desirable than relying on LUA, in my view, because in LUA an executable runs and is later caught in action. I prefer that it not run at all!

----
rich

 

Thank you

 

It's my understanding this is the method used by Panda if you immunize the PC (with their new tool.)

 

You are welcome.

----
rich

 

This is correct for "Computer Vaccination". A different method is used for individual drive "USB Vaccination".

 

Sure.(A public pc,not mine though. )

Yeah,I forgot this could be the cause why Avira popped up when I double clicked the usb drive. But I did see two autorun.inf_ in my usb drive after I had got it infected by another computer. Maybe I didn't vaccined it correctly?

 

It sounds like it's vaccinated correctly. The "AUTORUN.INF_" is probably due to the infected public PC trying to write an infectious AUTORUN.INF. As it cannot (because its vaccinated), it did the next best thing it could, which is to write it as "AUTORUN.INF_". If you send me the details of the file (md5, url, etc.) I can check it to verify this.

 

what about appgaurd,it can vacinne your usb in real time without signiture base

 

From what I understand of AP, it should do the job (and much more.) But it's not free like the Panda vaccination tool...

 

Btw., the Panda USBVaccine doesn't need sigs either. It's basically a generic method for blocking an empty autorun.inf on the USB stick so that it cannot be opened/read/modified/deleted from within Windows

 

Thanks for reply. Then,does it mean panda failed to protect me from the virus's next move?(Creating autorun.inf_ to accomplish its infection) I'm sorry but I don't have any of those files anymore.

 

Taking into consideration that a file named "autorun.inf_" does absolutely nothing when sitting next to a vaccinated "autorun.inf", I'd say it did it's job correctly.

Remember that USBVaccine will only block "autorun.inf" files from being modified to prevent malware from executing automatically. That's it. It won't prevent other files from being created on the USB stick.

 

We just released version 1.0.0.50 of Panda USB Vaccine with NTFS support and some other functionalities and bug fixes. Main thread at:

https://www.wilderssecurity.com/showthread.php?t=245571