ESET needs to know that. NOT GOOD!
_____ From: Christopher J. Bosak [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2008 12:35 PM To: NT System Admin Issues Subject: RE: USB usage protocols It was active the whole time. It didn't find eicartest until I tried to move it. From: Christopher J. Bosak [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2008 11:27 hrs To: NT System Admin Issues Subject: RE: USB usage protocols Good idea. Thanks. :-) From: Sam Cayze [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2008 11:25 hrs To: NT System Admin Issues Subject: RE: USB usage protocols PS: I usually set the online scanner to ignore TXT files, and I set a folder exclusion to exclude folders called EICARTEST. I can then download and save the file somewhere, and then start moving and renaming it to start my testing... From: Christopher J.. Bosak [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2008 11:17 AM To: NT System Admin Issues Subject: RE: USB usage protocols Nice... I had to turn off eset just to download the file... at least it's catching it there From: Sam Cayze [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2008 11:10 hrs To: NT System Admin Issues Subject: RE: USB usage protocols Eicar is an AntiVirus test sting... http://www.eicar.org/anti_virus_test_file.htm It should be used heavily before AV deployments to test scanning and reporting behaviors. More importantly on servers, to make sure exclusions are setup properly. It's actually just a string of characters. Putting it in a txt file, and changing the extension to .bat, .mdb, .com, .doc, etc to test your scanners For instance, put the sting in your SQL Data folder, and change the extension to .MDB If the AV ever catches it, when, you can be assured you AV is scanning your SQL files, ouch. In your case, change it to a bat, throw it on the USB, and try to run it. Does NOD catch it? If so, you've got an exclusion somewhere that lets BAT run. Yikes. -Sam From: Christopher J.. Bosak [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2008 11:03 AM To: NT System Admin Issues Subject: RE: USB usage protocols Here's the autorunini file [autorun] action=Open Files On Folder icon=icons\drive.ico shellexecute=nircmd.exe execmd CALL batexe\progstart.bat Perhaps need to set it to scan bat files at well? And forgive me, but what is Eicar testing? From: Sam Cayze [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2008 11:00 hrs To: NT System Admin Issues Subject: RE: USB usage protocols Scanning and the real-time filters use a totally different set of configurations. What is the extension of the program that executes? It that somehow excluded? Can you mimic the same results with Eicar testing? From: Christopher J.. Bosak [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2008 10:31 AM To: NT System Admin Issues Subject: RE: USB usage protocols Added note, when told to scan the folders / archive where the program is stored in, THEN it finds it. But until then, it does nothing. Chris From: Christopher J Bosak [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2008 10:27 hrs To: NT System Admin Issues Subject: USB usage protocols Okay, so it's come through the grapevine that someone is walking around with a USB drive that has USBThief running on it. I got a copy of the program, and it grabs passwords and whatever other information it thinks is useful and copies it to the drive and then you remove it. All this, with nothing showing up on the screen. Now, we're running NOD32, and I tested it, and it worked, and NOD did nothing. Has anyone run into this at all? Is the only option to disable the USB ports? Thanks in advance. Chris __________ Information from ESET Smart Security, version of virus signature database 2999 (20080403) __________ The message was checked by ESET Smart Security. http://www.eset.com ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
<<image002.jpg>>
