You are here

autorun.inf viruses and Safe Portable App-ing

24 posts / 0 new
Last post
lwc
Offline
Last seen: 49 min 55 sec ago
Translator
Joined: 2006-04-26 06:35
autorun.inf viruses and Safe Portable App-ing

"scan it for viruses before running any of your applications."
But by then you could already have virses thanks to the USB stick's autorun.inf, right?

Zach Thibeau
Zach Thibeau's picture
Offline
Last seen: 2 years 3 months ago
Developer
Joined: 2006-05-26 12:08
Well yes and no The

Well yes and no

The Autorun.inf file is a text file containing information of the drive name and what app to run, if it's only the portableapps.com menu then your safe anyways as it's digitally signed so that you can be reassured what your using from PortableApps.com is always safe

your friendly neighbourhood moderator Zach Thibeau

lwc
Offline
Last seen: 49 min 55 sec ago
Translator
Joined: 2006-04-26 06:35
I meant the guide claims that

I meant the guide claims that you should assume your entire USB stick (and autorun.inf) involve viruses, after you expose them to foreign computers, that can change autorun.inf if it already exists.

That very thing actually happened to me (got infected via autorun.inf), so I want to know how to avoid that in the future.

José Pedro Arvela
Offline
Last seen: 1 week 6 days ago
Joined: 2007-07-10 07:29
For now, none

For now, there is no easy way to prevent you from being infected. Sad

One solution that was advised (and actually it may be the best), is to have a pen with a write switch set on read only, with ClamWin on it. Before using your PortableApps you insert the ClamWin pen and scan for viruses. This is an unpleasant way.

Another way is to have your normal pen with ClamWin to make the scan, but it has to to have a read/write switch and set it to read. When you are sure the computer is safe, then you change the switch to write. This way wont prevent your data from being read by spyware, but will prevent your pen from being infected.

So, for now, implementing security is hard, and until a solution that does not require admin rights comes out, this is the best you can get.

Hope to have helped

lwc
Offline
Last seen: 49 min 55 sec ago
Translator
Joined: 2006-04-26 06:35
Actually, autorun.inf can be disabled momentarily

I don't mean disabled by clicking shift, but doing it properly. The problem is this (beware, I'm about to get technical):

Method #1:

I turn off Autorun via:

Windows Registry Editor Version 5.00 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 
"NoDriveTypeAutoRun"=dword:00000095 

Once I see the drive is fine, I turn on Autorun once more via:

Windows Registry Editor Version 5.00 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 
"NoDriveTypeAutoRun"=dword:00000091 

But here's the catch - while the following procedure works live in some PCs, it requires a restart in others!

...but not if it's done via XP's TweakUI! So please please please tell me what makes TweakUI so smart that it manages to bypass the restart requirement??? What does it do that I don't? I've ran it through InCtrl5 and it just does the aforementioned registry change. So how come it bypasses the restart requirement while I can't?

Unless you can figure it out (and please do!), I have to resort to:

Method #2:

Windows Registry Editor Version 5.00 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf] 
@="" 

BTW, I know some people want you to put some kind of trickery inside that "", but "" means the drive is still explored automatically.

The catch is that I can't reverse this situation because it later simply ignores this:

Windows Registry Editor Version 5.00 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf] 

This means I have to run this first:

Windows Registry Editor Version 5.00 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf] 
@=- 

Then - only after I run at least one autorun.inf - I can finally run

Windows Registry Editor Version 5.00 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf] 

but it's probably ignored anyway and keeps loading that "@=-" in secret.

Why does it force me not to delete the unneeded key?

digitxp
digitxp's picture
Offline
Last seen: 13 years 4 months ago
Joined: 2007-11-03 18:33
Actually,

the easiest way to not get a virus is to not plug your drive ;).

Insert original signature here with Greasemonkey Script.

Bensawsome
Offline
Last seen: 2 years 11 months ago
Joined: 2006-04-22 19:27
I just have 2 usb drives and

I just have 2 usb drives and one is my "virus scanning usb drive" and the other one is my regular one. Soi I just put my virus scanning one and put it in and scan first. If it has a virus I tell who ever owns the computer that it has one and go to another and do the same.

 iLike Macs, iPwn, However you put it... Apple is better ^_^ 
"Claiming that your operating system is the best in the world because more people use it is like saying McDonalds makes the best food in the world..."

lwc
Offline
Last seen: 49 min 55 sec ago
Translator
Joined: 2006-04-26 06:35
Sorry, but you may already

Sorry, but you may already get a virus the second you connect the suspicious USB drive. That's my whole point. Please read the topic.

Tim Clark
Tim Clark's picture
Offline
Last seen: 13 years 10 months ago
Joined: 2006-06-18 13:55
He is willing to sacrifice

He is willing to sacrifice the test drive, which he can reformat later.

As regards the next machine he plugs it into before he can reformat it you need to be aware that not every virus attacks every .exe, and not every virus that tries to attack antivirus programs can attack every one. So if he puts it in a second machine and the antivirus program still runs, it is unlikely that the antivirus program itself has been compromised. And since he is running it from a flash drive it is unlikely that that it is one of the big ones. In addition most antivirus programs "selfcheck" to see if they have been compromised, this is why viruses that attack antivirus programs usually just deactivate it.

He is merely telling you what works for him.

Tim

Things have got to get better, they can't get worse, or can they?

Bensawsome
Offline
Last seen: 2 years 11 months ago
Joined: 2006-04-22 19:27
I know what you guys mean but

I know what you guys mean but what I do to prevent the second computer I plug it into from getting infected when inserting it I hold down the shift key (prevents autorun), I reformat the virus scanning usb drive, redownload Clamwin, and then scan the second one. It may take a bit but its worth while not to have my good usb drive infected ^_^

 iLike Macs, iPwn, However you put it... Apple is better ^_^ 
"Claiming that your operating system is the best in the world because more people use it is like saying McDonalds makes the best food in the world..."

lwc
Offline
Last seen: 49 min 55 sec ago
Translator
Joined: 2006-04-26 06:35
The second you mentioned shift

The second you said "I hold down the shift key", you changed your entire argument just like that. In that case, I've already talked about another solution above instead of relying on a chance click to save your entire system.

dbau
dbau's picture
Offline
Last seen: 14 years 7 months ago
Joined: 2008-04-04 06:52
Read-Only

Couldn't you just have ClamWin on a drive which has a read-only switch and use that when scanning. You can run ClamWin off a CD so you should be able to do that.

lwc
Offline
Last seen: 49 min 55 sec ago
Translator
Joined: 2006-04-26 06:35
Yes, if I had one

Since I don't, I'm trying to find another solution. I wish to develop the registry thing.

dbau
dbau's picture
Offline
Last seen: 14 years 7 months ago
Joined: 2008-04-04 06:52
What about a CD?

What about a CD?

lwc
Offline
Last seen: 49 min 55 sec ago
Translator
Joined: 2006-04-26 06:35
Because this topic is about flash drives

If you use a CD, why are you in this topic? What about the registry solution/s? Let's work on that instead.

dbau
dbau's picture
Offline
Last seen: 14 years 7 months ago
Joined: 2008-04-04 06:52
I don't use a CD, but you

I don't use a CD, but you could use a CD to scan a computer and then, if it is clean, plug your USB in.

lwc
Offline
Last seen: 49 min 55 sec ago
Translator
Joined: 2006-04-26 06:35
If I take a CD, I might as well use it for everything

Besides, I can't treat other computers as if they're my own. For example, if you need to perform a presentation, you sometimes have just seconds to run your files. And even if you could take your time, you wouldn't dare to mess with foreign computers when you're not supposed to touch them.

lwc
Offline
Last seen: 49 min 55 sec ago
Translator
Joined: 2006-04-26 06:35
He never said "second machine"

You're putting words to his mouth. Besides, buying a computer just to use it as a test drive is not exactly appealing.

Tim Clark
Tim Clark's picture
Offline
Last seen: 13 years 10 months ago
Joined: 2006-06-18 13:55
Don't over read

Don't over read please,

...and go to another and do the same...
.
...So if he puts it in a second machine and ...

I didn't put words in his mouth.
I wasn't quoting him, just moving ahead with what he said.

I was thinking he would move on to another [second] machine in the same place.
No one said anything about buying a computer...

Sheesh,
Tim

Things have got to get better, they can't get worse, or can they?

lwc
Offline
Last seen: 49 min 55 sec ago
Translator
Joined: 2006-04-26 06:35
He only said it after you said it.

He only said it after you said it, and even then he admitted using a whole other solution.

gmbudwrench
gmbudwrench's picture
Offline
Last seen: 11 months 2 weeks ago
Joined: 2007-06-25 05:00
Does this help?

See last comment (or read whole thread if you like):
https://portableapps.com/node/13489

lwc
Offline
Last seen: 49 min 55 sec ago
Translator
Joined: 2006-04-26 06:35
Why would creating a folder help?

Why would creating a "autorun.inf" folder prevent the file with the same name to be re-written (or just written)?

dbau
dbau's picture
Offline
Last seen: 14 years 7 months ago
Joined: 2008-04-04 06:52
Because windows doesn't allow

Because windows doesn't allow two folders or files to have the same name if they are in the same folder.

gmbudwrench
gmbudwrench's picture
Offline
Last seen: 11 months 2 weeks ago
Joined: 2007-06-25 05:00
Don't know

This just seemed like the same topic, I pointed here because I thought it might be helpful

Log in or register to post comments