Inserting Thumb Drive Causes Defense+ Popup -allow or not?

[Guest]

[dolphin-dan]

Merry Christmas to all!

First some system details:

I have Windows Vista Ultimate and Comodo Firewall v3.13.121240.574 installed.
I'm using Avast as an antivirus.
I use Malwarebytes MBAM, GMER and Superantispyware as "on demand" scanners (ie. not realtime)


My question regards a Defense+ popup arising from plugging in a USB thumb drive.
It stated:

"services.exe is trying to modify the windows service registry root.  What would you like to do?"

under security considerations it states:
services.exe is about to modify the windows services registry root HKLM\SYSTEM\ControlSet001\Services\wudfsvc\Start. It is unusual to get this type of alert because Defense+ normally handles these issues for you.  If you are not installing or updating an application, you may consider blocking this alert temporarily  ie. without selecting "Remember my answer option.


I responded by blocking the request and did not select "remember my answer".

Was this the correct thing to do, or do thumb drives require that registry modification with wudfsvc?

Despite blocking the request, I am still able to see the thumb drive now as Removable Drive (J:)
and it scans clean, as does the rest of my computer.  My concern is that I can't find anything wrong
yet Defense+ says it is unusual to get this type of alert.  While I'm able to use the thumb drive still,
what happened or did not happen as a result of blocking the request?

Is this really a normal Defense+ message when plugging in ANY thumb drive? Should I ALLOW the request next time in Defense+?


Thanks in advance for any advice.
Dolphin-Dan

[adioz86]

Everytime you plug in a drive, services.exe installs that drive in Registry, better said: Add drivers.
As long as you plug in a drive and services.exe alert appears you can allow it, but don't remeber for services.exe, otherwise anytime a virus uses this to install it's own driver and that's bad.
If you do an installation of program/hardware allow such alert, don't forget, updating Windows counts to that.

[dolphin-dan]

Everytime you plug in a drive, services.exe installs that drive in Registry, better said: Add drivers.
As long as you plug in a drive and services.exe alert appears you can allow it, but don't remeber for services.exe, otherwise anytime a virus uses this to install it's own driver and that's bad.
If you do an installation of program/hardware allow such alert, don't forget, updating Windows counts to that.

Thanks for the information.  But looking through the Defense+ "Computer Security Policy" list
I notice that at some time in the past I had already allowed services.exe with a Custom Policy.
Should I remove that rule or change every access right entry for services.exe to "Ask"?

[EricJH]

Everytime you plug in a drive, services.exe installs that drive in Registry, better said: Add drivers.

That only happens when you insert a device for the firs time of course. Once the drivers are installed Windows will immediately recognise the device next time it is connected.

Thanks for the information.  But looking through the Defense+ "Computer Security Policy" list
I notice that at some time in the past I had already allowed services.exe with a Custom Policy.
Should I remove that rule or change every access right entry for services.exe to "Ask"?

That setting for services.exe is set like this by default by CIS. No need to change it. In that setting it will ask when you want to run another exectutable or when accessing protected registry keys (the mentioned driver install for expmple).

[dolphin-dan]

Okay, I think I understand now:

1. -when I plug in the thumb drive for the first time, I should allow the registry modification
but choose NOT to remember the answer
 2. -once the driver is installed, I won't be prompted anymore for that particular device since
the driver only has to install once
3. -since I selected "do not remember the answer", the access rights for services.exe will
remain at the default settings, which means I will continue to be prompted for any other
devices that I insert (or if malware makes an attempt at installing itself)

The confusing part for me was how Defense+ stated "It is unusual to get this type of alert because Defense+ normally handles these issues for you."  If I understand everything correctly, Defense+
does NOT normally handle the issue of a thumb drive plugged into a system for the first time
and it is therefore normal that I need to manually intervene by responding to the prompts.

Thank you Adioz86 and Eric.

[EricJH]

I must admit that that is a confusing message.

I think, but I am not totally sure here, usually services.exe runs when installing a program or a complete driver suite. In that case it will inherit the rights from the installer/updater profile that started services.exe.

I asked the other mods if they agree with my interpretation.

[sleepyjim]

How do you undo the blocking if you selected remember?


All by usb flash drives are blocked now........


SJ

[EricJH]

What exactly is blocked? Can you explain in more detail? Do the drives not get recognised because it is impossible to install the driver for the drives?

[Tags:]