I often have malicious Autorun.inf files on USB drives that clients connect to machines. GetSusp is pretty good at flagging that they exist and noting them as suspicious, but I don't think the file that the Autorun.inf points to for the Autorun is checked.
Is this location checked by Getsusp? If not, could it be considered as a FMR?
Valid FMR - will ensure this goes in
My fellow researchers and I had actually proposed this idea last year in a paper on Autorun worms titled "The Rise of AutoRun-Based Malware". Page 10 describes this idea and leveraging the cloud to scan executables referenced in the autorun.inf.
Thanks for bringing this up.
Message was edited by: Vinoo Thomas on 18/11/10 2:02:08 PM IST
Would also be nice if I could setup an epo TASK to deploy to VSE to Block access to the USB until a SCAN can be done.
Thinking that since McAfee hooks into the filefilter driver that as soon as the USB is inserted then McAfee could start scanning the USB with some options. Just a thought.
Might not be the correct forum for this post, but i agree with dbusby3 . An option for automatically doing a scan on USB drives when inserted (with configurable options) would certanly be nice :-)
With 1TB USB drives being the norm - such a rule can be a double edged sword. The USB device could end up being locked for quite a while.
This request has come up many a time on different threads and should ideally be posted on the VSE forum