@Tech, the file is whitelisted, detection won't occur after update.
@bob2160, don't get me wrong, I'm not here to argue, but... The program just did what it is meant to do.
Basically, it's a generic scanner (probably 99% of detections are infection based heuristics) meant to block USB transmitted malware using any known attack vector.
Because of the fact that files on removable drives are not critical for the proper functionality of your OS, MCS can go a step further than an antivirus can and be much more aggressive. Precisely that is the reason why I never got any reports of flash infections on computers running MCS in a period of more than 2 years.
And no, I'm not saying it detects everything, but it detects enough to prevent infections.
Anyway, thanks for trying and the feedback, it's appreciated.
These generic autorun detections simply happen when a new/updated software using autorun feature is published. When I'm informed about it, the detections get prevented. That's the only way I can make sure that a PC doesn't get infected using autorun. Alternative would be to do as an AV does: wait for a signature of a piece of malware (but that would make MCS quite pointless: it's suppose to help the AV with new malware, not have the same "problem" as the AV does).
Bootable drives are treated the same way as any other drive and there are no special issues regarding those. I'll do some testing with Win8 setup flash disk to see what are those folders doing there (it's a name for a protected system folder, I have a hard time understanding why would MS put those folders on a setup disk - if they are supposed to be there, I'll adjust the program logic behind those detections /that detection is not database based, it is hardcoded - folder with that name, in the root of a drive can be both legit and bad; the program tries to determine what is what.../).
schmidthouse mentioned Panda... No intention to talk bad about "competition"
, just believe that this needs to be said: Panda USB vaccine provides a certain amount of protection on older operating systems where autorun functionality can be exploited. It creates an autorun.inf file (which can be considered as a loading point) and sets an illegal attribute on it (instead of being marked as a file, that autorun.inf is marked as a volume and because of that can not be opened using standard Windows functions). There are two things to note regarding this:
- autorun is just one of the ways the infection can be started;
- this is not bulletproof; although they say you need to format the drive to remove the file, that file can be removed (a dll that comes with MCS has functions that can both create those files and remove them - this is not used because I think it is not a good approach, but, the point is, if MCS can do it, what is to prevent malware from doing it?).
Automatic mode and why MCS can't ask what to do... First, some things are time critical (autorun and the exploits), I can't ask because by the time user responds it could be to late. Second, malware uses a lot of tricks and an average user doesn't have enough knowledge to respond properly.
An example: MCShield scans a memory card on a camera and tells the user that X:\DCIM.exe is malware... Most people would think I'm insane and that I'm trying to delete their pictures because a folder named DCIM is where their pictures are. Of course, this is simple stuff for a power user, but for an average one, it's not really that simple.
Anyway, to implement some kind of expert mode where program would do what must be done right away and then ask the user for the rest would be brutally complicated and require a total rewrite of the program. To do this, I'd have to stop working on malware detection routines for at least six month and I'm not sure it's worth it. Yes, I know it doesn't look good when the first thing a program does is to make a false positive, but belive me when I say it doesn't happen that often. Currently, the whitelist contains only 111 files that had to be protected from detection. Don't know what you think of it, but I'd say that's not bad considering the program is more that 2 years old and that the number of treated items reported so far is 223173.