Nice. I had to turn off eset just to download the file. at least it's catching it there.
From: Sam Cayze [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2008 11:10 hrs To: NT System Admin Issues Subject: RE: USB usage protocols Eicar is an AntiVirus test sting... http://www.eicar.org/anti_virus_test_file.htm It should be used heavily before AV deployments to test scanning and reporting behaviors. More importantly on servers, to make sure exclusions are setup properly. It's actually just a string of characters. Putting it in a txt file, and changing the extension to .bat, .mdb, .com, .doc, etc to test your scanners. For instance, put the sting in your SQL Data folder, and change the extension to .MDB If the AV ever catches it, when, you can be assured you AV is scanning your SQL files, ouch. In your case, change it to a bat, throw it on the USB, and try to run it. Does NOD catch it? If so, you've got an exclusion somewhere that lets BAT run. Yikes. -Sam From: Christopher J.. Bosak [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2008 11:03 AM To: NT System Admin Issues Subject: RE: USB usage protocols Here's the autorunini file [autorun] action=Open Files On Folder icon=icons\drive.ico shellexecute=nircmd.exe execmd CALL batexe\progstart.bat Perhaps need to set it to scan bat files at well? And forgive me, but what is Eicar testing? From: Sam Cayze [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2008 11:00 hrs To: NT System Admin Issues Subject: RE: USB usage protocols Scanning and the real-time filters use a totally different set of configurations. What is the extension of the program that executes? It that somehow excluded? Can you mimic the same results with Eicar testing? From: Christopher J.. Bosak [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2008 10:31 AM To: NT System Admin Issues Subject: RE: USB usage protocols Added note, when told to scan the folders / archive where the program is stored in, THEN it finds it. But until then, it does nothing. Chris From: Christopher J.. Bosak [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2008 10:27 hrs To: NT System Admin Issues Subject: USB usage protocols Okay, so it's come through the grapevine that someone is walking around with a USB drive that has USBThief running on it. I got a copy of the program, and it grabs passwords and whatever other information it thinks is useful and copies it to the drive and then you remove it. All this, with nothing showing up on the screen. Now, we're running NOD32, and I tested it, and it worked, and NOD did nothing. Has anyone run into this at all? Is the only option to disable the USB ports? Thanks in advance. Chris ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~