The Enemy Within: A Cautionary Tale Of Security Software

[Harold Gough]

I recently replaced my security software. The package I had been using had failed to prevent an incident which meant I was not longer able to use my PC. As it was due for renewal on this replacement PC I took advantage of a bulk purchase opportunity via Groupon. This gave 60 months of protection for £9 per PC from Panda Internet Security 2012.

It was one of the tools I was unaware of when I decided to install the software. Called Panda USB Vaccination, it prevents malware from using the Autorun of USB devices to spread themselves. It does this by making the Autorun.inf file inaccessible permanently. Unfortunately, this sometime malfunctions and makes devices inaccessible to the user.

My background with such up-front protection is the Innnoculation against malware infection applied by some software to files on your PC. I never had a problem with that. So, it was quite acceptable to also be able to do somethng I thought was similar to USB devices.

To cut a very long story short, I allowed card readers to be Vaccinated on two occasions, the actual card, being affected. Others were done without my knowledge, although I had not allowed automatic Vaccination.

I then started to find that the camera from which the cards had been removed could not longer read the cards after downloading via a card reader. Another was readable only via the camera. Those were all using Olypus ORFs. Then my wife downloaded a few images she had shot for me, deleted them in the camera and then found that her large number of images on the card were inaccessible by any means.

Having expressed my increasing distress to the Panda support team, they gave me a remote session, which lasted nearly two hours. (I managed to 'send' image ORFs from most of the cards top my PC before the session). The technician had never seen anything quite like it. After much investigation, and finally uninstalling the Vaccination software, the technician asked me to send the two remaining cards in for further investigation.

The bottom line is that the cards can only be made functional again by reformatting. So, anyone installing such software should check for such problems before it is too late. It had taken me some time to associate the Vaccination, or just use of a card reader, with the symptoms.

Having realised what was happening, a search on the internet showed that this Vaccination from Panda had been causing problems for several years, such that you would expect adequate warnings to be delivered with the software package and a fix to have been developed.

Harold

[Chris S.]

What a bizarre way Panda picked to avoid autorun infections! They could simply have guided users into telling Windows to disregard the autorun.inf for usb media, without changing the contents of those media in any way. This would be much safer for the media, but perhaps harder to brand, as it's something anyone can do through the control panel. So perhaps it was a marketing decision to do it this way. Personally, I wouldn't worry about autorun infections anyway, as regular antivirus protection should kick in if autorun tries to introduce anything untoward. But I do turn autorun off simply because I find it annoying to have media trigger events; I prefer to do such things myself.

I support a lot of computers. For people willing to pay for antivirus protection, I recommend Eset's NOD32 software. For the others, I've been increasingly using Microsoft's free Security Essentials, and grudgingly getting to the point that I trust it, inasmuch as I trust anything.

Panda will now get a "questionable" notation in my brain. And for what it's worth, Symantec/Norton products and McAffee products I will not permit on any computer I support. If they come pre-installed on a purchased machine, they are the first things I remove. It's incredible how much they slow down the computer, how much junk they leave behind after being uninstalled, and how much faster a computer runs if you take the time to manually remove this detritus.

Glad you got to the root of the problem, Harold. Ugh., though.

Cheers,

--Chris

[Harold Gough]

Thanks, Chris.

Good to have such specialist input. It was a mystery to me as to why my camera might supply me with malware.

One thing which stopped my uninstalling the USB Vaccination tool was that, unlike the main Security software, Uninstall was not offered in All Programs on the Desktop Start menu. It had to be uninstalled via the Add/Remove programs in Control Panel, an inconsistency which surprised me.

I too, long ago, disposed of Symantec/Norton products and McAffee products. Now add AVG to that list.

Harold

[Pau]

This vaccine does a good job, despite it doesn't seem the most elegant option.
Last year we had at the school a problem with a virus that prapagated this way. Usual antivirus were unable to eliminate it, being necessary to manually modify the windows register to deal with.

Of course it has little or no sense for camera memory cards, but for pendrives that transfer files between different computers it has lots of sense.

[Harold Gough]

What I forgot to mention is this. I have a Terabyte enternal USB drive, onto which I do all my major backups. I was very nervous about that possibly being compromised (I don't know how Autorun might be involved but the damage seems to be to file structure more generally). That has been disconnected through this episode and still is.

Harold

[DQE]

Harold,

I'm very sorry to learn of your computer misfortune. These things are both a curse and a blessing, to say the least.

Have you tried any of the commercially available camera memory card rescue programs to salvage the photos left on the cards? FWIW, I have had good luck with Rescue Pro Deluxe, but fortunately I never had to try it with the specific problem you ran into. Here's the vendor's URL. A "lite" version is often provided with Sandisk memory cards.

http://www.lc-tech.com/pc/sandisk-rescu ... ro-deluxe/
------------

Regarding antivirus packages, after trying out most of the major vendors' products over the course of a number of years, it seems to me (based in part on published reviews and tests) that each vendor in turn does well for a year or two and then manages to stumble as they make major updates or revisions or sells extra-cost add-ons for their system. After having tried and abandoned McAfee, ZoneAlarm, and AVG, I've been reasonably satisfied with Symantec/Norton Internet Security for the past few years. I simply might not have noticed inefficiencies since my PC is a fairly high performance configuration with lots of bells and whistles. YMMV, of course.

Regarding camera memory cards, I've found that many cameras need to do the reformatting in the camera instead of via the PC. If the PC does the reformatting, the camera sometimes cannot read or properly use the card. I have no idea how prevalent this issue is across all camera brands and models. Also, I've read that there are a lot of counterfeit memory cards on the market these days, perhaps similar to other manufactured items. Not sure how to work around this other than to pay extra and buy from a reputable vendor. A great way to inflict malware on the unsuspecting public would be to sell memory cards very cheaply on ebay or something and infect peoples' computers this way. Even computers not connected to the internet can be infected through this or similar means, using memory sticks or memory cards.

[ChrisRaper]

I've never had a problem running "Avast! AntiVirus" and "SpyBot Search & Destroy" on all of my PCs and laptops (dozens over the years). It actually caught a new virus that a friend's corporate install of Sophos hadn't spotted - his laptop put the virus on a USB stock and my laptop caught it every time it tried to load from autorun. He was a bit surprised about that

I am very careful about what I download and when I do with CDs or USB sticks that I get from other people. I never click on links or attachments that are sent to me by friends unless they have pre-arranged to send me something.

Funny how often I am asked to fix virus/malware infections on friend's PCs though

[Harold Gough]

Yes, Spybot seems very safe.

Harold

[Harold Gough]

Have you tried any of the commercially available camera memory card rescue programs to salvage the photos left on the cards?

Yes. CardRecovery does a good job but in this case it was reading whole cards as all "bad sectors". It did get back the files from the one the card reader no longer reads, before some unknown event stopped that. I would be happier if I could check the number of files on the card but the MB of data recoveed corrsponds to a card which was about full. The main concern is for my wife's card.

The most alarming thing was that I was finding the situation changing for some cards, not knowing if it was progressive and desperate to recover what I could, via software or by simple sending, before the access was lost. I was not a happy bunny!

Harold

[Olympusman]

I have always been very suspicious of any freeware from Panda. You will notice that these apps are written by Chinese. The Chinese are actively trying to get into our computers. One of their free apps is an exif reader that allows you by clicking on any image to automatically show you the exif data. This means the application is running all the time in the background, essentially always looking over your shoulder.
A few years ago we were restoring memory cards for our users. Often, we encountered counterfeit memory cards that had been bought from Asia that had malware already installed on the cards, which is a handy way to bypass computer security by reading directly from the card as a drive instead of being protected by Internet intrusions.

[Harold Gough]

You will notice that these apps are written by Chinese.

That had slipped by me.

Harold

[abpho]

Any idea what Mac users should be using/doing? I used to run est/nod32 on a PC. But since switching have never thought about it.