(referred to hereafter as FD
) is a great little program that does offer protection against autorun malware but it does have some drawbacks, as does most software. There is also other info you should be aware of as well as alternatives to FD.
First you should acquire some knowledge, if you don't have it already, of how autorun infections work so that you have a better idea of how to deal with them. A Flash Drive that has been inserted into an infected computer will have two elements; one, the malicious payload in the form of executable files--basically the infection itself, and two, an autorun.inf file, which is known as a loading point. No matter how vicious, malware files (the payload) can't affect you unless they are started/run/opened/loaded into memory. That's where the loading point (autorun.inf) comes in. Without a loading point it is like having bullets with no gun.
Especially for Windows XP, autorun is enabled by default so that, when you insert a flash drive into a computer, the autorun.inf file is automatically executed, which in turn tells Windows to execute the payload--the malicious executable files or infection. One element of the infection is that this autorun.inf loading point file, along with the payload files, is copied to the root of other flash drives that are inserted into the computer--and perhaps your hard drive partitions as well--so that the malware continues to spread. If autorun is disabled and/or if autorun.inf does not exist, then the payload files will sit harmlessly on the Flash Drive. Most of those payload files will be cleaned up by your antivirus software, just like any other known malicious file.
When FD first came out it was designed primarily to clean up both the malicious files and to prevent further spreading by "innoculating" every partition with a dummy autorun.inf file and disabling autorun. It uses some other methods that I won't go into as it makes defeating FD too easy for malware authors and script kiddies. Back then, antivirus would not check autorun.inf files because the file itself is legitimate--what is harmful is how it is written. USB flash drives can have legitimate programs launched via autorun.inf. For example, Portableapps.com will write to the autorun.inf file so that it's launcher--a sort of Start menu for the flash drive--will run whenever your Flash drive is inserted into another computer. The contents of that autorun.inf file will look something like this:
Malicious autorun.inf files will use the name of their payload executable file in place of StartPortableApps.exe. Antivirus programs are not designed to deal with this, altho some may be changing now. But the point is that in the early days, not many infections used this method, so the author of FD would keep the tool updated so that it both cleaned up malicious payload files and inoculated to prevent further spread by dealing with the autorun.inf file. Now this infection method is so widespread--especially since Conflicker came out--that the author no longer has time to keep it updated. He is an active malware fighter and much of his time is spent on keeping another of his excellent removal tools current and effective. So he's left removal of newer payload files to antivirus/antimalware programs. However, running it to prevent the autorun.inf file from executing and thus preventing the spread of infections is still quite effective and useful.
A few days ago, I was reading through the posts to see if someone else was having the same kind of problem I was experiencing on my wife's computer.
First of all, did you get this resolved? This may or may not be something that can be fixed with FD. Infections still spread in the older, conventional ways, such as email attachments, so Flash Drives may not be involved at all. If you need more help with that let us know.
One of the experts utilized a utility which disabled the autorun on thumb drives, external Hard Drives, etc. and installed a mini-program which prevented any future auto-runs.
As explained above, it is not really a mini-program that FD uses. Alternatives to FD are, which I will get into in just a bit. But this is where FD has drawbacks.
1. FD makes some changes to your system that aren't easily reversible. For example, the warning you've gotten from previous posters to not delete the dummy autorun.inf file is a little outdated. Malware writers saw that and soon figured out that a dummy file set to read only is easily defeated, so the dummy was changed in such a way that the autorun.inf folder is very difficult to delete--again, I won't say how so that we don't make it too easy for the malware writers. Personally, I like to be able to reverse anything done with some ease. A good argument can be made that the spread of autorun malware is so pervasive that reversing the changes is not necessary and therefore not as important as the security of everyone with a USB port/card reader, so it is all for the common good. However, I would still like to know what is changed even is I can't reverse it. Not knowing can cause unnecessary worry and confusion. It's very common for people to have heard that autorun.inf is bad, and then when they see the dummy by that name put there by FD, to come to believe they are infected.
With knowledge of how autorun.inf infections work, the dummy is redundant as a prevention method. If a person disables autorun and never, never ever re-enables it, then you won't have to worry about the autorun.inf loading point being executed--you are taking the gun away so that the bullets are useless. My problem with the MS article's instructions (that garmanma linked to) for disabling autorun is that they are too complex for the average person and many are gunshy of editing the registry. A great alternative is to run a batch file that will do this very easily. Go to the following Conflicker removal guide, scroll down to the last few paragraphs and follow the instructions for the file linked to as Noauto.reg download link
2. FD is not your typical program. It doesn't have a home page where you can get additional information and support. As a rule of thumb, I don't like to have programs on my computer that have no support or any way of contacting the author. As mentioned earlier, it's not really a program as much as a quick cleanup tool combined with one time changes to your computer's settings--it doesn't run in the background. But it is still easy for the common user to be confused about this.
Is this utility a good idea for someone who transfers files and documents from a variety of computers?
Bottom line is that running FD will protect your system from future autorun infections. Depending on your situation, you might need its redundancies, otherwise disabling autorun will protect you just as well. Then there are some alternatives that are less invasive and a bit more transparent--programmers are starting to catch up to this relatively new threat. I have been intending to write a guide and test these programs but have not had the time to finish that yet. But here is a bit of what I know at this point.
1. Autorun Eater
This is more along the lines of "utility" program that stands guard much the way you've envisioned it. It's for people who don't want to disable autorun, but that makes it necessary for it to always run in the background, which is a drawback if you have limited computing resources.
It works by blocking any autorun.inf from executing, shows you the contents of the file, and gives you the option of removing it or to ignore it. If you remove, a backup is made so that it can be restored later. As an extra feature, it can restore Task Manager, Regedit
and Folder Options
, which many autorun infections disable.
Many malware removal specialists believe there are no legitimate autorun.inf files out there so no need for an ignore function, not to mention leaving autorun enabled. But as you can see, Portableapps.com is legit and most USB Flash drive vendors include similar launchers, such as U3, that may or may not make use of the autorun.inf file and there are other third party launchers out there. However, the point remains that these launchers starting up when inserted are a convenience and shouldn't be preferred over good security practices. You can still start these launchers manually.
The two big drawbacks to this program, besides it running in the background, is, one, it may be that it can be easily defeated and two, the author thinks it's cute to have a goat bleat at you whenever you log in--which is very irritating after the first or second time it happens. However, the bleating is easily disabled. A third drawback is that you must have some knowledge of what files are not malicious.
I have this running on my system but haven't thoroughly tested it yet. I wouldn't recommend it to everybody depending on circumstances.
2. Panda USB and AutoRun Vaccine:http://research.pandasecurity.com/archive/...un-Vaccine.aspx
As also linked to by RedDawn
. I haven't tried this one out yet but from the description it sounds as if it is much like FD without the cleanup of malicious payload files. It also doesn't run in the background, altho there are plans to make that an option.
One drawback is that it is also not easily reversible. To delete the inoculation, one must reformat the flash drive. It shouldn't be that big a deal as you can easily copy the entire contents of Flash drives to your hard drive--unless it is almost full.
3. Autorun Protector
I've only had time to read over the description of this one, but it sounds pretty good. However, I am not sure what methods are used for protection, so I can't recommend it at this time.
I hope this helps some. Another factor to consider is the state of the computers that you use your Flash drives on. If you use them only on computers that you have some control over and thus have instituted a practical security policy so that they stay free of infections for the most part, then infections spreading via USB drives won't be much of a problem. It's when you use those drives on less secure systems--when FD was first developed, students were getting infected every time they inserted a Flash drive connected to the college's system--that was infected.