ONSITE: when your client's AV detects viruses on YOUR storage media.

B

burgerman

New Member
Reaction score
0
ONSITE: How do you deal with AV false positives detected in your kit?



These days I don't have any trust in plugging in flash drives into peoples computers because these days there are so many autorun viruses that will just infect and carry the infection to the next PC. So obviously the best thing is to have all my program tools (eg.. malwarebytes, combofix, firefox, free antivirus setups etc) run off a CD that no autorun type virus can touch.

Also the problem is that sometimes antivirus programs like CA-Antiovirus or Mccafee will detect some legitimate software tools as Trojans.


Today I had Mccafee throw out a detection on a CD of tools right in front of my clients face..... “virus detected!”. Once I even had a driver file for a TV tuner card detected as a virus by CA antivirus open right infront of another clients face!

So my line is: “Its just a false positive which means your program is saying it’s a virus when its not. It often happens because this CD has allot of tools on it that do things that some programs would be considered virus like”


Todays client was an old client of mine but darn she was jittery and on edge after it. They still have to trust you. Soemtimes I wonder if I can even trust myself.


So now I really don’t want to plug in any flash drive or insert any cd when I think the customer is going to be bombarded with virus false positives… especially considering that most paid for AV’s seem to be near impossible to properly turn off these days.

  • Have you had this problem yet ?
  • Got any stories about customers that this has happened too?
  • How do you deal with this situation onsite?


My only solutions are:
  • not using flash drives anymore
  • trying to separate some tools from some well known stuff on difffrerent discs (eg. Have all your free av installs on one disk and “keyfinder, regsitry type tools” on another.





ps... It doesn't happen often.. maybe once in 20 times.. but i've lost love of the business having to deal with situations like this among others.
 
I still use my flash drive but with autorun protection, and I image it before using so I can restore it quickly as well. Unfortunately there is no fix for this, the best you can do is put the file in a password protected zip file so antiviruses can't scan it, disable the customers antivirus, then extract your files. It's a big PITA... Some clients understand when I explain to them that they are detected incorrectly because they act like hacking tools, eg, they may allow me to backup your firefox password, but they're not malicous themselves
 
Last edited:
The only time I've had that happen is when I'm using a Nirsoft tool for password retrieval. I now mention that it's about to happen as "due to their invasive nature, they usually trigger the AV".
 
If the client is watching me, I will tell'em whats about to happen. 99.9% of the time I remove the anti-virus software before I do anything
 
I have the same problem using Nirsoft tools. I wish AV company's would just remove tools like this from there definitions.

Also it goes to show how clueless AV company's are.
 
We had a post a few weeks back similar to this, I forgot who it was but they had a great idea, pretty much since they are so cheap go pick up 10-20 flashdrives load your tools on all of them to be identical, then when your done with one just wipe and restore it, I even do it from the clients machine a simple re-format nothing gets taken away. I just picked up 10 toshiba 8gbs from officemax for $12 a pop. I tend to break them so I buy a lot anyway.
 
I always use a flash drive with write protect switches, when you plug them into clients computer they can't be written too when the switch is on.

If your worry about somebody trusting you, don't because they wouldn't have you working on their computer if they didn't trust you in the first place. There are standard things like this that we all tell clients, you need to get into the habit of seeing what AV they have installed and telling them before the warnings pop up that they are false positives warnings.
 
Corbin said:
We had a post a few weeks back similar to this, I forgot who it was but they had a great idea, pretty much since they are so cheap go pick up 10-20 flashdrives load your tools on all of them to be identical, then when your done with one just wipe and restore it, I even do it from the clients machine a simple re-format nothing gets taken away. I just picked up 10 toshiba 8gbs from officemax for $12 a pop. I tend to break them so I buy a lot anyway.
Click to expand...

I use sandisk cruzer micro. I have an 8Gb right now. Its been in the washer multiple times and ran over by my truck once. Its still tickin great. Not sure what brand your using but I have a hard time braking mine.

I use the older ones before they had the U3 on them. The new ones suck, there detection speeds are crazy slow. I buy mine from newegg. They still have the old ones available. I keep a brand new in the package one in my bag just in case a customer wants to buy one.

Edit: Newegg I guess no longer has them.
 
Yeah I hate CA. Was at a customers house the other day and it deleted one of my files of the USB. Of course I couldn't get it back. Lesson learned. Always disable that stupid program before sticking in the USB. Haven't experienced this with Norton or others yet.

I found a list of how to disable different security programs via google and I think I will use it from now on
 
tf76 said:
Yeah I hate CA. Was at a customers house the other day and it deleted one of my files of the USB. Of course I couldn't get it back. Lesson learned. Always disable that stupid program before sticking in the USB. Haven't experienced this with Norton or others yet.

I found a list of how to disable different security programs via google and I think I will use it from now on
Click to expand...

This is why I back up my flash drive once a week.

About a month ago I forgot my flash drive at one of my advertisers offices. I forgot where i left it and did not have it backed up. Luckily I had most of my tools on a CD-R that I had made but there was tons of stuff missing. Luckily a few days later i got my drive back but ever since I have made a point to back it up once a week.
 
vdub12 said:
I use sandisk cruzer micro. I have an 8Gb right now. Its been in the washer multiple times and ran over by my truck once. Its still tickin great. Not sure what brand your using but I have a hard time braking mine.
Click to expand...


I have a old 512mb that I use its held together by baseball glove wtring, and a 12gb microdrive that has been dropped in a pool, washer, shower, bowl of frootloops. I use whatever is on sale, I tend to drop them all and step on them, if I get $120 from a client then my $13 flash drive is paid for.

But I now have 10 unopen 8-8gb 2-16gb Toshiba, 6 sandisk 8gb, 4-8gb 2-16 gb Verbatim. And2 i/o 12gb microdrives (keepers). Then a few misc promos flash drives I get. I do get the customers who will buy my used flashdrive after I reformat it on their machine, a lot of them only get used for a month before I sell it or break it.

And for the breaking they tend to jump out of my pocket fall out of my bag, my cat loves the fact I yet learned he will yank them out if they stick out of the machine and he wants past even tho he has 1200square feet apt to roam.

This may be out of the box but what term do you use Flash drive, Pen Drive, Usb Drive, pocket drive, Memory Stick? The retail I work at I hear them all but what's technibbles term of choice?
 
As you become aware of this you will routinely disable "active scanning" on your client's machines before plugging in your toolkit.

Since I use TechTools 3.0 with Ketarin, I can always restore an app on my stick that an AV has eliminated. Also I keep it in my DropBox account so I don't even have to have the USB stick with me. I just go to my dropbox and choose the tool I want.
 
You must log in or register to reply here.

Similar threads

gexos
Power Panel: My new app to control common computer functions
Replies
11
Views
2K
GTP
GTP
Fred Claus
AV choice
Replies
14
Views
2K
britechguy
britechguy
thecomputerguy
Adding EDR to my stack and how to sell it.
Replies
6
Views
1K
Sky-Knight
Sky-Knight
sapphirescales
EVERYONE Needs to Close or Do Drop-Off Only - NOW!
Replies
18
Views
6K
britechguy
britechguy
thecomputerguy
Further challenged by a client I politely tried to fire.
Replies
3
Views
5K
britechguy
britechguy
Back
Top