AV doesn't detect infected USB drives anymore

The updated version of CIS(free) does’n alert anymore about presence of injected files such autorun.inf of kido(conficker, downadup) virus on usb flashdrive. On manual scan it find and clean this files but there is no detect/alert on accesing compromised usb drives(with antivirus security level set to “ON ACCES”)
It’s very disappointing because i was confident in your solution and ready to recommend to the network administrator at my workplace to buy an multiple licence of CIS pro.
I don’t know when or witch of the updates did this.

I believe that CIS will only scan files if they are being loaded into the memory. Thus if it was just sitting there I don’t believe it would be scanned.

But the previous version of CIS did that(it was alerting and cleaning such threats without accessing that files or manual scanning). Kido is an aggressive polimorph not an passive one and a lot of (famous)antivirus products has failed in stopping it spreading.

It should not be able to spread, and yes they have changed this behavior from version 5.5. to 5.8 in regards with performance improvements.
A system should not become infected because of this.

Just use this.

Well, as I suspected, my system, protected by CIS, has begun to inject autorun.inf an Recyle bin hidden file and folder in usb flashdrive(i checked that by formatting, unplug and plug again the usb flashdrive). Wasn’t big deal, kido removing tool from kaspersky has done his job. But the fact is that newest(latest updated) version of CIS is vulnerable to this threat.Forgot to tell you: before using removing tool the system was scanned by CIS with 0 threats founded(CIS antivirus is set to “on access”, root scanning, cloud scanning, scan archive files and scan memory on start enabled, defense+ is set to enhanced protection mode). I don’t blame CIS for that. Many other top rated antivirus product have been compromised by this kido/conficker/downadup virus. I think this is an very underestimated threat. This virus is modifying antivirus behavior. Not in an snap action… but in time, if there is an oped door, kido certainly will find a way to take advantage. I think is a continuous development work to improve this virus.I detected presence of kido in two of the local ISP networks. It is just enough to plug an network cable from an infected network in an unprotected PC(w/o no other action) and the infection is done. kido… with his favorite children is there. As in medicine: to prevent is better then cure.

I am not following you. First of all, the changes are only in Stateful mode not in on-acess, so no behavior change there.

However CIS automatically blocks any execution from ?:$Recycle.Bin* etc. So there is no way for conficker to bypass this.

However, if you believe its been bypasssed, it would greatly help if you compressed all of your USB drive(minus confidential files) and provide to me for testing further.

My usb drive files come and go. It’s meaningless to send files like that. But i could try to send you exactly files(archived) with virus signature and pictures witch reveals the lack of action of CIS accessing an compromised usb drive(set to “on access”). If you think that this could help please tell me how could i do that(via e-mail/Skype or else). Please don’t get me wrong. I don’t intend to prove that CIS is weak. I like your product and i want to know that it is indeed that good security solution that I thought to be.

I believe you. What i am trying to do is to reproduce the issue so that we can fix. Otherwise there is no way for us to see what is going on.

I can tel you that corrupted files found in kk scan was ntdll.dll, netapi32.dll, dnsapi.dll, and finally, when kk arrived at that point, CIS raised an detected kido in c:\windows\system32\vlhcoc.dll. As i said before, a full scan with CIS was performed before running kasperky removing tool with 0 threats.
Hope that’s helps and if you wanna receive that files(archived autorun.inf, recycler and pictures with CIS setings and kk scanning) please tel me how to send them.


Please zip the files if possible in a password protected archive and upload it to some fileshare service like e.g. http://www.filesonic.com.
And send egemen a PM here with the link to download.


pasword 4 archive: conficker

Removed live malware URL, please don’t post this in public.

I removed the URL from the post and have send the details to Egemen.