This content has been marked as final. Show 14 replies
What about making your users "regular" users instead of local admins or powerusers, that will cover a lot of infections...
Unfortunately, that's not the best solution for our environment.
My ideal solution would be a method to use McAfee to prohibit the use of autorun.inf on usb devices. I know there are other workarounds to the issue, but I'd like to keep this conversation focused on the ideal solution. I just want to know if it's possible or if people have found ways of using less obvious settings in McAfee to accomplish this.
You have two options.
1. Use HIPS signatures to block autorun activity.
2. Use an AD GPO policy to prevent autorun activity.
Please read 967715 thoroughly. Run the OS appropriate version from 967715. This is likely to require a reboot when applied.
'NoDriveTypeAutoRun' changes can be deployed via GPO, scripting, or through simple registry changes and a batch file, as you wish.
Please ask questions if you need more help, and I hope this has been helpful.
It was helpful for me, thanks for the info.
If you have VirusScan can't you just add autorun.inf to the following rules?
1) Access Protection Policies > User-Defined Rules > autorun.inf
2) Unwanted Programs Policies > User-Defined Items > autorun.inf
Well, what do you want the rule to do, exactly? And what about CDs that are read-only, what does your rule do with those?
And I am not sure, but the .inf file is not actually running anything, it is Explorer.exe and the embedded setup routines, specified within the .inf file. So, I am not sure what you may be blocking here. If you are simply stopping the creation of .inf files, that may help stop the spread from an already infected system.
Not sure, but simple is sometimes not so simple.
It is an interesting idea, but I would like some details before I would trust this solution.
Thanks, you have me thinking...
I could only assume that if you were to include the autorun.inf file in those two policies I mentioned earlier, that VirusScan would at the very least prevent that file from being read or executed. I understand that it's calling explorer.exe to open up a Windows Explorer box, but in order for that to happen the autorun.inf is read/exectured by the system. I haven't tested this yet, but it's something I've had on my "want to try" list.
I got bit bad by the W32/Sality virus about a year ago, and it kept spreading because of the autorun crap. Wish I had thought about trying that out then.
Not sure it would have helped: Like I said, Autorun.Inf is not executed; the program specified within (usually setup.exe or the like) is executed, and maybe Explorer.exe which is actually running the .inf script. Even if you were able to block all Autorun.inf files from being read, you would need to do so with both Read and Write scanning (which I believe kills performance since there are anywhere between 4 to 8 reads for every write) and you would then block all CDs with Autorun.inf. How many support calls do you think this would generate.
Setting NoDriveTypeAutoRun registry value to 0x95 is far more selective and effective.
0x01 Disables AutoPlay on drives of unknown type
0x04 Disables AutoPlay on removable drives
0x10 Disables AutoPlay on network drives
0x80 Disables AutoPlay on drives of unknown type
Does this make any sense?