Crap AV detection results

  • Thread starter Thread starter Frazer Jolly Goodfellow
  • Start date Start date
1PW said:
On 03/29/2009 08:25 PM, kurt wismer sent: [snip]
i think folks are getting a little hysterical about autorun.inf files...
while i agree that autorun is a braindead feature that should absolutely
be killed, scanning autorun.inf files is retarded - you might as well
scan autoexec.bat files while you're at it... there's nothing bad in the
autorun.inf file...
Click to expand...

But Kurt, I wonder if that was _the_ possible attack vector that took
down a portion of the French Air Force for a few days and raised hob
with portions of bt.com as well?

I know this may be unanswerable.

USB thumb drives and laptops, brought from the outside world, were some
of the primary sources for our attacks at my previous place of employment.
Click to expand...

oh, absolutely, portable physical devices are one of the least protected
attack vectors these days (everything old is new again)... but it still
makes little sense to try and identify something as malware by looking
at it's associated autorun.inf file...
 
kurt said:
Gaz wrote:
[snip]
But the mechanism and the method of operation are the same. The
writing of an autorun file to a flash disk would be a rare to non
existant legitimate activity, and a prety likely behaviour of a a
virus.
Click to expand...

just because it doesn't happen a lot in your environment doesn't mean
it's rare in other environments... virtually every software developer
that distributes their product on optical media uses autorun.inf
files...
Click to expand...

Optical media will be read only, are you trying to tell me that it isnt
possible to distinguish between a removable drive and a cd drive???
Really???
i think folks are getting a little hysterical about autorun.inf
files... while i agree that autorun is a braindead feature that
should absolutely be killed, scanning autorun.inf files is retarded -
you might as well scan autoexec.bat files while you're at it...
there's nothing bad in the autorun.inf file...
Click to expand...

It is a sign however. If i see a flash drive with autorun.inf i assume it is
infected...

Gaz
 
Gaz said:
kurt said:
Gaz wrote:
[snip]
But the mechanism and the method of operation are the same. The
writing of an autorun file to a flash disk would be a rare to non
existant legitimate activity, and a prety likely behaviour of a a
virus.
Click to expand...
just because it doesn't happen a lot in your environment doesn't mean
it's rare in other environments... virtually every software developer
that distributes their product on optical media uses autorun.inf
files...
Click to expand...

Optical media will be read only, are you trying to tell me that it isnt
possible to distinguish between a removable drive and a cd drive???
Really???
Click to expand...

some flash memory drives lie to the system about what type of drive they
are - see U3 drives...

also, some folks actually distribute content in flash media rather than
optical... it's especially prevalent as promotional gifts...
It is a sign however. If i see a flash drive with autorun.inf i assume it is
infected...
Click to expand...

no U3 drives for you then...
 
Back
Top