Solved

Webroot doesn't detect the autorun.inf infection?


webroot has been a godsend until today when i discovered that it does not detect/repair the dreaded autorun.inf infection.
 
i was gobsmacked...when both Avast and Kaspersky easily picked up the infection and cleaned it up promptly.
 
 
the autorun.inf infection was the one where it hides the folders and makes shortcut links in USB drives and it spreads from computer to computer like wildfire via usb memory devices.
 
hopefully Webroot can up it's act and get this remedied quickly.
 
 
 
Regards Pepe
icon

Best answer by nic 31 July 2014, 20:14

View original

14 replies

Userlevel 7
@ wrote:
@ wrote:
I can confirm Pepe's description. I had a family shared usb flash drive which was infected and the files inside disappeared. Instead there were only shortcut links. When I had connected the flash drive to a computer which had avast! AV, autorun.inf was immediately blocked and quarantined. After I restored the infection, I inserted the flash drive to my computer containing WSA. No warning was shown and nothing blocked or quarantined. I did a normal format on the drive and it was clean.

The only difference between two pcs was mine had autoplay disabled.

I thought I would share my experience and maybe it would help.:)
So I talked to our threat team and they said that WSA should detect the exe that tries to run to propagate the autorun.inf.  We won't detect just the present of the autorun.inf file, as that can be used for legitimate purposes, and that isn't the way that WSA operates, scanning every single file.  If you do see an instance of an infected autorun.inf file propagating on a WSA protect system please let us know.
Ah that makes complete sense. WSA is indeed a very clever and effective security solution. I must admit I haven't seen a WSA protected system infected with autorun.inf.
Thank you for talking to the threat team and clearing the confusion once and for all.:)
Userlevel 6
@ wrote:
@ wrote:
I can confirm Pepe's description. I had a family shared usb flash drive which was infected and the files inside disappeared. Instead there were only shortcut links. When I had connected the flash drive to a computer which had avast! AV, autorun.inf was immediately blocked and quarantined. After I restored the infection, I inserted the flash drive to my computer containing WSA. No warning was shown and nothing blocked or quarantined. I did a normal format on the drive and it was clean.

The only difference between two pcs was mine had autoplay disabled.

I thought I would share my experience and maybe it would help.:)
So I talked to our threat team and they said that WSA should detect the exe that tries to run to propagate the autorun.inf.  We won't detect just the present of the autorun.inf file, as that can be used for legitimate purposes, and that isn't the way that WSA operates, scanning every single file.  If you do see an instance of an infected autorun.inf file propagating on a WSA protect system please let us know.
Thank you Nic for the info.  I remember the 1st time I came across the autorun.inf virus a few years back. Looks like it is on the rise again. Like Amit, I too have autorun disabled. I will be keeping it that way!
Userlevel 7
I forgot to mention, I did a manual right click scan on the usb drive with WSA. But nothing was detected.
Userlevel 7
Hi pepelepew
 
Welcome to the Community Forums.
 
In case you are interested/in search of some more information on how WSA works and how it is different to traditional AVs/ISs then please take a look at this previous post which contains a good collection of schematics, videos and details on what has already been mentioned/alluded to in the last few posts.
 
Please do come back if you have any further questions.
 
Regards
 
 
Baldrick
Userlevel 7
Badge +56
@ wrote:
I can confirm Pepe's description. I had a family shared usb flash drive which was infected and the files inside disappeared. Instead there were only shortcut links. When I had connected the flash drive to a computer which had avast! AV, autorun.inf was immediately blocked and quarantined. After I restored the infection, I inserted the flash drive to my computer containing WSA. No warning was shown and nothing blocked or quarantined. I did a normal format on the drive and it was clean.

The only difference between two pcs was mine had autoplay disabled.

I thought I would share my experience and maybe it would help.:)
So I talked to our threat team and they said that WSA should detect the exe that tries to run to propagate the autorun.inf.  We won't detect just the present of the autorun.inf file, as that can be used for legitimate purposes, and that isn't the way that WSA operates, scanning every single file.  If you do see an instance of an infected autorun.inf file propagating on a WSA protect system please let us know.
Userlevel 7
Badge +56
Let me see what I can find out about this.
Userlevel 7
I can confirm Pepe's description. I had a family shared usb flash drive which was infected and the files inside disappeared. Instead there were only shortcut links. When I had connected the flash drive to a computer which had avast! AV, autorun.inf was immediately blocked and quarantined. After I restored the infection, I inserted the flash drive to my computer containing WSA. No warning was shown and nothing blocked or quarantined. I did a normal format on the drive and it was clean.

The only difference between two pcs was mine had autoplay disabled.

I thought I would share my experience and maybe it would help.:)
Userlevel 7
Badge +62
@ wrote:
please help me on this software.thanks
:D Welcome JSteven123,
 
My answer to this would be to submit a Support Ticket Here and please let us know if this was resolved so we can help others.
Hope to see you back even if its just to visit or if you need more help with this issue. For there are alot of Members here that can assist!
 
 
Thank you,
Userlevel 6
@ wrote:
please help me on this software.thanks
Hi JSteven123, welcome to the community!
 
Could you please clarify if you need help with autorun.inf or another software?
 
If it is autorun.inf, please follow the link in TripleHelix's post to submit a support ticket to the Webroot Tech Support Team.
 
If it is something different, please give us some more detail  so we can better assist you.
 
Thank you,
Beth
please help me on this software.thanks
Userlevel 6
@ wrote:
webroot has been a godsend until today when i discovered that it does not detect/repair the dreaded autorun.inf infection.
 
i was gobsmacked...when both Avast and Kaspersky easily picked up the infection and cleaned it up promptly.
 
 
the autorun.inf infection was the one where it hides the folders and makes shortcut links in USB drives and it spreads from computer to computer like wildfire via usb memory devices.
 
hopefully Webroot can up it's act and get this remedied quickly.
 
 
 
Regards Pepe
Welcome to the community pepelepew!
 
Sorry you had this experience with autorun.inf Pepe. Thank you for posting, your feedback is welcomed and appreciated!
 
I too am interested in hearing how this happened. I am confident however that the Webroot Tech Support Team will rectify the issue. I as well as the other community members look forward to hearing from them.
 
Please do visit the community often and share your experiences. That's what its all about here in the community, sharing our experiences and helping each other.
 
So browse around! You will find a wealth of information here as well as many friendly and knowledgeable members.
 
See you around the community!
 
Beth
 
 
Userlevel 7
Hi pepelepew
 
Welcome to the Community Forums.
 
I would be interested to know how this is the case?  What has alerted you to this 'fact'?
 
Regards
 
 
 
Baldrick
Userlevel 7
Badge +56
Yes I would like to know as well we can see if @ or @ are around and supply some info on this!
 
Thanks,
 
Daniel 😉
Userlevel 7
Badge +62
Welcome to the Community Forum pepelepew!
 
@ wrote:
webroot has been a godsend until today when i discovered that it does not detect/repair the dreaded autorun.inf infection.
 
i was gobsmacked...when both Avast and Kaspersky easily picked up the infection and cleaned it up promptly.
 
 
the autorun.inf infection was the one where it hides the folders and makes shortcut links in USB drives and it spreads from computer to computer like wildfire via usb memory devices.
 
hopefully Webroot can up it's act and get this remedied quickly.
 
 
 
Regards Pepe
My answer to this would be to submit a Support Ticket Here and please let us know if this was resolved so we can help others.
Hope to see you back even if its just to visit or if you need more help with this issue. For there are alot of Members here that can assist!
 
Thank You,

Reply