Never thought that any company would use BadUSB method just to bring person to their website. What a waste of hardware.
So most AVs still don't block simple BADUSB attacks? EDIT: this protection is not enabled by default in HitmanPro.Alert, and if I remember right, it has caused a lot of issues with USB devices in the past. So apparently, it is not such an easy protection to implement.
A promotional USB? That right there should be a red flag warning to fire the thing in the rubbish tin.
Yes IMO it is not that easy to implement. When USB device presents itself to OS as a keyboard, AV should somehow figure out that device is not keyboard but something else and block it.
You can use the free G Data USB Keyboard Guard to protect against badusb https://www.gdatasoftware.com/en-usb-keyboard-guard