cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Prevent autorun.inf on flash drives (8.5i or 8.7i)

Our most significant method of infection with our computers is through flash drives being passed around. I would find it extremely helpful if there was a way to set up McAfee to prohibit running autorun.inf files from USB devices.

We have a need to run autorun.inf from CDs and DVDs. I can't seem to figure out how to set user-defined rules to only block files on USB devices. Any suggestions?

I use McAfee enterprise 8.5i with the possibility of upgrading to 8.7i if it helps. I really just wish there was a box that said "ignore autorun.inf on these types of drives"
14 Replies
Highlighted

RE: Prevent autorun.inf on flash drives (8.5i or 8.7i)



What about making your users "regular" users instead of local admins or powerusers, that will cover a lot of infections...

reg, Henno
Highlighted

RE: Prevent autorun.inf on flash drives (8.5i or 8.7i)

Unfortunately, that's not the best solution for our environment.

My ideal solution would be a method to use McAfee to prohibit the use of autorun.inf on usb devices. I know there are other workarounds to the issue, but I'd like to keep this conversation focused on the ideal solution. I just want to know if it's possible or if people have found ways of using less obvious settings in McAfee to accomplish this.
Highlighted

RE: Prevent autorun.inf on flash drives (8.5i or 8.7i)

You have two options.

1. Use HIPS signatures to block autorun activity.

2. Use an AD GPO policy to prevent autorun activity.
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 15

RE: Prevent autorun.inf on flash drives (8.5i or 8.7i)


Please read 967715 thoroughly. Run the OS appropriate version from 967715. This is likely to require a reboot when applied.

'NoDriveTypeAutoRun' changes can be deployed via GPO, scripting, or through simple registry changes and a batch file, as you wish.

Please ask questions if you need more help, and I hope this has been helpful.
Ron Metzger
Thanks,
Ron Metzger

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Highlighted

RE: Prevent autorun.inf on flash drives (8.5i or 8.7i)

It was helpful for me, thanks for the info.
Highlighted
Level 7
Report Inappropriate Content
Message 7 of 15

RE: Prevent autorun.inf on flash drives (8.5i or 8.7i)

If you have VirusScan can't you just add autorun.inf to the following rules?

1) Access Protection Policies > User-Defined Rules > autorun.inf
2) Unwanted Programs Policies > User-Defined Items > autorun.inf
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 8 of 15

RE: Prevent autorun.inf on flash drives (8.5i or 8.7i)



Hi Dustrho,

Well, what do you want the rule to do, exactly? And what about CDs that are read-only, what does your rule do with those?

And I am not sure, but the .inf file is not actually running anything, it is Explorer.exe and the embedded setup routines, specified within the .inf file. So, I am not sure what you may be blocking here. If you are simply stopping the creation of .inf files, that may help stop the spread from an already infected system.

Not sure, but simple is sometimes not so simple.

It is an interesting idea, but I would like some details before I would trust this solution.

Thanks, you have me thinking...
Ron Metzger
Thanks,
Ron Metzger

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Highlighted
Level 7
Report Inappropriate Content
Message 9 of 15

RE: Prevent autorun.inf on flash drives (8.5i or 8.7i)

I could only assume that if you were to include the autorun.inf file in those two policies I mentioned earlier, that VirusScan would at the very least prevent that file from being read or executed. I understand that it's calling explorer.exe to open up a Windows Explorer box, but in order for that to happen the autorun.inf is read/exectured by the system. I haven't tested this yet, but it's something I've had on my "want to try" list.

I got bit bad by the W32/Sality virus about a year ago, and it kept spreading because of the autorun crap. Wish I had thought about trying that out then.
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 10 of 15

RE: Prevent autorun.inf on flash drives (8.5i or 8.7i)



Not sure it would have helped: Like I said, Autorun.Inf is not executed; the program specified within (usually setup.exe or the like) is executed, and maybe Explorer.exe which is actually running the .inf script. Even if you were able to block all Autorun.inf files from being read, you would need to do so with both Read and Write scanning (which I believe kills performance since there are anywhere between 4 to 8 reads for every write) and you would then block all CDs with Autorun.inf. How many support calls do you think this would generate.

Setting NoDriveTypeAutoRun registry value to 0x95 is far more selective and effective.

0x01 Disables AutoPlay on drives of unknown type
0x04 Disables AutoPlay on removable drives
0x10 Disables AutoPlay on network drives
0x80 Disables AutoPlay on drives of unknown type

Does this make any sense?
Ron Metzger
Thanks,
Ron Metzger

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community