Proactive detection of USB viruses?

Discussion in 'ESET NOD32 Antivirus' started by MarvinK, Oct 15, 2010.

Thread Status:
Not open for further replies.
  1. MarvinK

    MarvinK Registered Member

    Joined:
    Oct 15, 2010
    Posts:
    6
    I'm looking for a corporate anti-virus product that has proactive detection of USB viruses--without having to enable autorun on computers. Does anyone know if ESET can do this, or will it only detect viruses if you have autorun enabled, browse the folder with the virus or try to run the virus?

    I can understand why some vendors wouldn't want to force a full scan of any USB storage that gets inserted (especially if it turns out to be a TB drive full of small files), but it seems like with the massive increase in malware spread via USB, it wouldn't be unreasonable to expect (at a minimum) anti-virus to detect the USB Storage service starting up, check to see what drives it mounts, scan those drives to see if they have autorun files, and then scan any files that are referenced by the autorun. It would have minimal impact on performance.

    I think users expect that if they plug in a storage device into a computer with updated anti-virus, it will tell them if it is infected--unfortunately, the software I've tested so far all seem to not meet that expectation. Any idea if ESET will pick those up?
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    V4.2 already scans files run from removable media with advanced heuristics by default which ensures that recognized malware would be blocked upon execution.
     
  3. Matthijs5nl

    Matthijs5nl Guest

    And what about the unrecognized malware?

    What will v5's general strategy for unknown malware? Behavior-based detection, reputation-based detection, cloud-based detection; or a combination of the three? Or HIPS or sandboxing?
    It has been really quiet about version 5. All I remember from ESET's side was an interview on YouTube about version 5; but that one is really old already, I think you released it on the day of the version 4 release. And all it mentions is that parental control will become available, which in my eyes is the last thing to do. And an interview on Softpedia, which only mentions you will focus on more platforms and you will keep improving the product (I have never heard a company saying: on the next release our product will be worse).
     
  4. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    Hello Matthijs5nl, I have seen some similar options.

    For example, some type of emulation is automatically done by advanced heuristics. (active)
    Behavior blocker is an "On-Execution" technology, so I guess that has something to do the option "Advanced Heuristics on file Execution" (Disabled by default)
    ThreatSense.Net is a cloud-based system.
    ESET products are constantly updated through modules, so you do not have to wait for the next version (eg 2010, 2011, etc)
     
  5. MarvinK

    MarvinK Registered Member

    Joined:
    Oct 15, 2010
    Posts:
    6
    Every vendor has something they tout to help catch malware that tries to run... I want to catch stuff that would have tried to run, except autorun was disabled. People should be able to be reasonably confident that if they plug the key into a computer with current AV, they don't have a key that is spreading malware--and I shouldn't have to enable auto run to do it.

    Asking users to right click on the drive and scan it manually is not an effective or reliable method because it isn't automatic and it depends on users.
     
  6. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    a full scan of a USB drive upon plug-in could take a while, depending on the machine resources and the size of the USB drive and the amount of data on it, and could even halt access to the USB drive for a while, which a lot of users would be confused/annoyed about. as sample my internal sata drive of 500 GB capacity / NFTS / approx. 250 GB of data on it takes more than 4 hrs on a full scan with a i7 quadcore processor. during the scan the machine become sluggish, now imagine a less powered machines with a USB drive.

    if anything trying to run/execute from the USB drive it would be scanned by NOD, be it autorun or not. that is as much pro-active as it gets. and even with a full scan AV could miss 0-day exploits like it must have been the case with Stuxnet, going for while undetected by various AV.
     
  7. MarvinK

    MarvinK Registered Member

    Joined:
    Oct 15, 2010
    Posts:
    6
    My original post acknowledges that performance concern and proposes a solution (check autorun and scan only those files referenced by that file).
     
  8. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    then perhaps I missed your point - as anything trying to execute from the USB drive would be scanned by NOD anyways and perhaps by most other AV products. malicious stuff does not need to be autorun as Stuxnet has proven
     
    Last edited: Oct 16, 2010
  9. MarvinK

    MarvinK Registered Member

    Joined:
    Oct 15, 2010
    Posts:
    6
    I want it to catch viruses on USB keys that you plug in, whether you run the virus or not.

    For example, if someone is working in a lab with computers that don't have anti-virus and have autorun enabled... the user brings in their clean usb key... works on one lab computer (and don't realize it is infected and has infected their usb key with a virus in X:\badfolder\badvirus.exe and updated the autorun file to launch it). The put some backup files that they need to move to their work computer on the key.

    The user plugs in their (infected) USB key and expects their corporate AV product to flag any malware (it doesn't because they have autorun disabled and they dont manually browse into badfolder). They don't remember to manually scan the key. They grab the backup files off the key, and don't get any alerts from their up-to-date AV that they trust, and assume it is clean.

    User takes the key to another lab computer... which also lacks the protections their corporate computer had. This lab computer has now been infected by a USB key that the user would expect that their corporate AV would have caught when it was in their work computer. This key will remain infected until the key happens to be left in the work computer during a scheduled scan or the user happens to remember to scan the drive manually... and will continue to infect lab computers.
     
  10. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    well, the lapse is not with the AV product but with the computers not having any AV for protection, you actually want one computer with AV to safeguard the rest of the world. that is a concept I doubt the AV industry will grasp on, their goal is to sell the product for each computer, e.g. those unprotected lab machines. why those lab machines are kept unprotected anyway and in that case even permitted to connect external USB drives - a virulent heaven? there are a few free of charge AV products out there, if it is about funds.

    and I am not sure what user would expect to have the USB drive sanitized just by plugging it into a machine with AV? NOD would already apply protection when browsing a folder in windows explorer, at least under W7 and thus anything malicious recognised would be caught then already - that without running a scan or anything being executed on the USB drive.
     
  11. MarvinK

    MarvinK Registered Member

    Joined:
    Oct 15, 2010
    Posts:
    6
    I don't control the lab computers--and I don't think it's an uncommon problem, unfortunately. I agree the lab (or whatever) computers should be better secured and managed, but I think it happens more often than it should.. particularly in some countries.

    It seems like a relatively easy feature to add, and I'm sure I'm not the only admin who might consider it a valuable feature.. on the computers they do have control over.
     
  12. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    on the computer you have control over and with NOD installed files are getting scanned when being copied/moved, browsed in windows browser and of course executed. there you have your controlled machines protected. as mentioned just to scan the autorun related files does not sanitize the USB drives as malicious stuff does not depend on it and can hide anywhere on the disk - e.g. Stuxnet did not have any autorun entry - that is where you are back to scan the entire USB.

    perhaps for achieving your safety level you may create a more controlled environment for USB drives connecting to your machines, such as hardware id grooming/matching, password protecting prior access, check time tamps, USB drive encryption, educate people using USB drives in foreign environments. in NOD you can even block access to USB drives entirely and thus could force users to connect USB drives only at a single point of entry, e.g. a dedicated virtual machine with AV where you can run a full scan, perhaps with multiple AV engines and distribute legit files from the USB drives to the respective machines.

    AV products are no substitution for education of people or the utilisation of their brain capacities...
     
    Last edited: Oct 17, 2010
  13. MarvinK

    MarvinK Registered Member

    Joined:
    Oct 15, 2010
    Posts:
    6
    We have a lot of the controls you suggest... I just think a proactive anti-virus that picks up more than 99+% of the malware (everything except stuxnet) spread by USB would be a selling feature--that would be yet another layer of protection against USB-spread malware.

    ...and our users would certainly not complain about removing other layers if a proactive anti-virus would off-set those needs.
     
Thread Status:
Not open for further replies.