- Dec 23, 2014
- 8,593
We can skip the INF files, because they can be run by the user only with a right-click Explorer context menu or by a command line, so they are not as dangerous as other scripts.EAM actually already does that. It doesn't matter for EAM whether you copy the interpreter or not. Some malware was using that for rundll32.exe as a bypass for some AV in the past and we decided to handle this type of behaviour for all "host processes" as we call them internally. You can obviously still copy the file and break the signature so EAM no longer detects it, but by doing so you also cause EAM to no longer trust it.
Other than that messing with INF is a very, very bad idea. Every single hardware driver (including Windows Update) relies on it. In most cases, they will probably invoke the Setup API directly, but you never know. At the very least INF files don't get executed automatically on double click.
I am not sure if my arguments have convinced you, but thanks for the interesting discussion and answering my questions.