USB Vaccination truely worthy?

Discussion in 'other anti-malware software' started by sg09, Feb 27, 2012.

Thread Status:
Not open for further replies.
  1. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,713
    Location:
    Kolkata, India
    USB Vaccination, a term that is popular from PandaLabs product. Panda locks the autorun.inf file and some software creates dummy autorun.inf folder. But is that enough in todays scenario? I have autorun disabled and I open USB drive by exploring it but that's not a solution. I have my USB vaccinated by PCAV Pro but still my USB become infected with script worm, stuxnet and other worms. I know that those malware do not rely on autorun.inf but then what is the point in vaccinating USB? Doesn't it give a false sense of security? I know Panda's product is capable of complementing USB vaccination. But the Script worm that I carried few days ago was undetected by Panda at that time. I am not blaming them of course. I think approaches that No Autorun/Antirun took is much better. What do you think?
     
  2. phalanaxus

    phalanaxus Registered Member

    Joined:
    Jan 19, 2011
    Posts:
    499
    It's just a layer of one of the many layers of security. It's not a separate security solution by any means. You use it or don't that's your choice of course.
    But is it giving a false sense of security? Let me put it this way then...

    I have an AV installed, it didn't detect some malware. Is it giving me a false sense of security? These different products/measures are here to lessen the probability of getting an infection, not preventing all of them ( I will stay away from any product that is claiming it can do so.)
     
  3. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,713
    Location:
    Kolkata, India
    Git your point. But shouldn't such products combine all types of protections? Like Vaccination and No Autorun type of protection?
     
  4. pbust

    pbust AV Expert

    Joined:
    Apr 29, 2009
    Posts:
    1,173
    Location:
    Spain
    USB Vaccination is similar to no autorun. It is basically a method of completely disabling autorun.inf file and ergo the autorun functionality. However USB Vaccination does not do anything else. So you can still copy files (good and bad) into the USB. Vaccination is just another layer of defense against auto-execution via autorun.inf, but not an end all be all.

    In the case of Stuxnet it's a different story as it doesn't use autorun.inf but rather the Microsoft .LNK vulnerability to auto-execute.
     
  5. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,713
    Location:
    Kolkata, India
    Thanks pbust.
    But even if the link vulnerability is patched No Autorun is able to detect it. I don't know how it was able to detect that. But I just want to say that, this type of protection is needed in order to detect unknown malwares coming from USB drives.
    And about the script virus (.vbs) I don't know if it uses autorun.inf or not because even though my USB drive was vaccinated it was infected with that.
     
  6. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    I actually have never seen USB malware operate...

    ...I only plug in a USB when I need it and I remove it when I'm done.

    I've never had any issues.
     
  7. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    i always wanted to know about this too , heard theres even seperate programs for the job aka ninja pendrive etc ,

    what do yall think bout it? and if its worth a dime , then any recommendations? , since ninja pendrive is mainly for xp , on w7 you wont see your external drive letters, only local drive default nametag is what you get , was a real bitch to remove that locked autorun.inf and rest too , had to boot into a linux distro to clear them , and my old drive names popped up ;)
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It would be helpful for an unpatched XP or misconfigured V/7. It seems like a more "intense" version of the built-in no-autorun.

    As mentioned it won't matter to Stuxnet as it uses a separate exploit.
     
  9. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,133
    Location:
    USA
    I believe Panda USB Vaccine (and its ilk) protect against malware currently on the USB device from running via "auto-run". It doesn't protect the USB device from being infected.
     
  10. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    Well, let's see...

    Using solely Windows Vista/7 (and some of these XP) you already can:

    1. Set each AutoPlay action to "take no action" in the control panel. The problem is, this is a non-administrative setting, which means all users get to make their own preferences. I do set it this way as a backup just for the heck of it, but this is not really a good method if your computer is used by anyone else besides yourself.

    2. Enable "turn off autoplay" (I know, logically it sounds weird) in AutoPlay Policies.
    EDIT: Actually, I'm not wrong. Look up this on Microsoft Support. Even they use AutoPlay/AutoRun interchangeably since they go hand-in-hand. This setting will indeed turn off AutoRun and Play!

    3. Use a software restriction policy to block ANY executable from running by default, or tweak it down to block things that aren't already on the drive.

    I would venture to guess that #2 is sufficient for most computer users. If you wish to extend your security and actually prevent anything from executing (true white-list), use # 3.

    That should be it. I am not currently in agreement that you need additional 3rd party software specifically for USB/autorun malware, other than your existing anti-malware solution. Any decent real-time anti-malware application worth its salt should scan removal drives that get attached.
     
    Last edited: Mar 1, 2012
  11. quanzi_1507

    quanzi_1507 Registered Member

    Joined:
    Feb 18, 2009
    Posts:
    320
    Well while what you've said might be true in most cases, if you are to carry your USB to lots of places it would be better to "vaccinate" it beforehand, because the settings on your computer won't protect your USB from other computers, and (sadly) some users just don't want others to mess around with their system settings.

    Imagine this, you have a fortress of malware defense on your system. But if you plug your USB into infected machine A the former will still become infected, and if you plug it again into a clean machine B with poor defense / no defense at all it will infect the latter right when it is plugged in. While USB vaccination doesn't eradicate the malwares, it does prevent them from activating automatically. So unless you accidentaly run the malware yourself, machine B will still be safe.
     
  12. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    Either my USB is plugged in to:

    1. My house computers which are secured with my principles

    2. My college campus, which has its own IT department that should be competent enough to lock exes down via Windows or Novell.

    If I went to someone's house such as a client, I would consider vaccination or fresh formatting of the USB every time.

    So my point is, if you have a good security setup on your home computers and you are worrying about your work computers, your work IT department should take care of this. If they don't, that's their problem. In a system as locked down as mine usually are, it would be highly unlikely that malware got to my USB drive especially since I rarely every leave it plugged in.

    And I say again, any decent antivirus worth its salt will by default scan USB drives either in real-time and/or at least during a full scan. Yes, AVs often miss stuff, so that is why we disable autorun and/or use other white-list based measures.

    I'm just not very into the idea of installing a dozen different products when there is definitely already a lot of overlap involved.
     
    Last edited: Feb 28, 2012
  13. quanzi_1507

    quanzi_1507 Registered Member

    Joined:
    Feb 18, 2009
    Posts:
    320
    I see your point. Too bad my work environment isn't what I would consider safe so personally I'm fine with another extra layer.

    Used to do this with batch commands till these tools came out :D
     
  14. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    hey guys im trying to work out something with ninja pendrives dev , got a hold of him maybe hell release an updated version were already in talks bout it ;)
     
  15. pbust

    pbust AV Expert

    Joined:
    Apr 29, 2009
    Posts:
    1,173
    Location:
    Spain
    You're mistaking auto-play with auto-run. They are two different functionalities with two different scopes of action.
     
  16. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    EDITED:

    I did not mistake anything, actually.

    Windows has AutoRun and AutoPlay both. They are sometimes used/referred to interchangeably since AutoPlay is a sub-technology of AutoRun.

    You can indeed turn them both off at once most effectively by performing what I suggested in point #2. Microsoft has an article explaining this on their support site if you search Google for "turning autorun off in Windows 7". There is another group policy setting that does it too, but the effect is the same.

    Also, having a default disallowed SRP would essentially yield the same security level, since nothing can auto-execute anyway.
     
    Last edited: Mar 1, 2012
  17. pbust

    pbust AV Expert

    Joined:
    Apr 29, 2009
    Posts:
    1,173
    Location:
    Spain
    I said you were mistaken because you said "turn off auto-play" in your post above. Turning off auto-play does not prevent malware from automatically executing if it has infected an autorun.inf. Yes I know you can turn both auto-play and auto-run off, but that's not what you said originally.

    Regardless, those type of settings are touched only by a small minority of advanced users and network admins. It would be interesting to see how many Wilders members actually have turned off auto-run manually like you suggest, considering this is a very security conscious crowd. For the vast majority of users out there this is not a valid option and therefore point-and-click products and/or having this functionality integrated and by default in a security product (like PCAV for example) are more effective means of getting this dangerous featured turned off massively.
     
  18. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    Right, but as I've clarified, changing the setting in #2 I mentioned will turn AutoRun and AutoPlay off according to Microsoft, just to be clear.

    And that isn't a valid solution because the mass education of end users to change that setting will result in you (or any other security corporation) making less money? :D

    In all seriousness...yes, these settings are a bit advanced, especially the software restriction policy. That I shall admit openly...

    But nevertheless, I would rather stop the problem at the source rather than constantly add 3rd party modules/products to do it for me. I have confidence that people can learn. After all, I'm not an IT major; I'm an EDU major.

    Now, being an EDU major I know that people are stubborn and don't always want to learn. Thanks to Microsoft FixIt, you don't have to. Click a button on Microsoft Support and your AutoRun is disabled.


    No offense intended at all, either. I respect your product and I'm sure it has something to add as Quanzi has pointed out. However, I'm a big believer in utilizing built-in measures first, THEN adding 3rd party products to supplement security as needed!
     
  19. pbust

    pbust AV Expert

    Joined:
    Apr 29, 2009
    Posts:
    1,173
    Location:
    Spain
    Actually we don't make money off of that. Our Panda USB Vaccine is a free product and it does more than simply disabling auto-run.

    Given your previous statement about "making less money" you probably won't agree, but AV companies have spent lots of money on end user education of secure computing habits (I know at least we have) and its like throwing money at a black hole. And with newer generations it's actually getting worse. But I have to admit it's amusing to see an idealist like yourself. I just hope you do as you preach and actually spend the time to educate the masses.
     
  20. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    I do what I can in addition to being a full-time student.

    I am a reasonably active member on many of the forums here at Wilders. I am also fairly active on the Microsoft Answers forum. I make educational YouTube videos, (and I don't mean "YouTester" crap!) which I plan to do more of this year. Additionally, I do a lot of work/education on computer security & other topics face-to-face with people I encounter every day.

    If by user education you mean driving users to your website and telling them why they "need" your solution (free or paid), that's user misinformation. If you're going to throw a sarcastic remark at me because I am informing people what they've already paid for by using genuine Windows, I'm going to respond.

    Now, getting back to the original topic/question of this thread as there's no point arguing with you anymore...I feel that I have offered my input (probably ad nauseum at this point,) which people are of course free to take or leave. I am in no way an "expert", but I am an informed power user and I wanted to share my insight on the issue proposed by this thread, which was: "Are USB vaccinations truly worthy?"

    My answer: Depends. If you utilize (or at least understand) the built-in countermeasures first, and still want more (as Quanzi does, which I respect and understand completely), then by all means go for it! :)
     
    Last edited: Mar 2, 2012
  21. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,133
    Location:
    USA
    The notion that average users are going to drill down into settings is fanciful at best. It's also important to note that many users see Auto-run/Auto-play as important functionality and disabling them as breaking that functionality. They need to be given a clear explanation for why it's advisable to sacrifice the convenience of Auto-run/Auto-play, and they also need to be shown how to manually find files and start installers on external/USB media.
     
Loading...
Similar Threads
  1. atomomega
    Replies:
    10
    Views:
    856
Thread Status:
Not open for further replies.