1 2 Previous Next 14 Replies Latest reply on Aug 4, 2009 12:54 PM by rmetzger

    Prevent autorun.inf on flash drives (8.5i or 8.7i)

      Our most significant method of infection with our computers is through flash drives being passed around. I would find it extremely helpful if there was a way to set up McAfee to prohibit running autorun.inf files from USB devices.

      We have a need to run autorun.inf from CDs and DVDs. I can't seem to figure out how to set user-defined rules to only block files on USB devices. Any suggestions?

      I use McAfee enterprise 8.5i with the possibility of upgrading to 8.7i if it helps. I really just wish there was a box that said "ignore autorun.inf on these types of drives"
        • 1. RE: Prevent autorun.inf on flash drives (8.5i or 8.7i)


          What about making your users "regular" users instead of local admins or powerusers, that will cover a lot of infections...

          reg, Henno
          • 2. RE: Prevent autorun.inf on flash drives (8.5i or 8.7i)
            Unfortunately, that's not the best solution for our environment.

            My ideal solution would be a method to use McAfee to prohibit the use of autorun.inf on usb devices. I know there are other workarounds to the issue, but I'd like to keep this conversation focused on the ideal solution. I just want to know if it's possible or if people have found ways of using less obvious settings in McAfee to accomplish this.
            • 3. RE: Prevent autorun.inf on flash drives (8.5i or 8.7i)
              You have two options.

              1. Use HIPS signatures to block autorun activity.

              2. Use an AD GPO policy to prevent autorun activity.
              • 4. RE: Prevent autorun.inf on flash drives (8.5i or 8.7i)
                rmetzger

                Please read 967715 thoroughly. Run the OS appropriate version from 967715. This is likely to require a reboot when applied.

                'NoDriveTypeAutoRun' changes can be deployed via GPO, scripting, or through simple registry changes and a batch file, as you wish.

                Please ask questions if you need more help, and I hope this has been helpful.
                Ron Metzger
                • 5. RE: Prevent autorun.inf on flash drives (8.5i or 8.7i)
                  It was helpful for me, thanks for the info.
                  • 6. RE: Prevent autorun.inf on flash drives (8.5i or 8.7i)
                    dustrho
                    If you have VirusScan can't you just add autorun.inf to the following rules?

                    1) Access Protection Policies > User-Defined Rules > autorun.inf
                    2) Unwanted Programs Policies > User-Defined Items > autorun.inf
                    • 7. RE: Prevent autorun.inf on flash drives (8.5i or 8.7i)
                      rmetzger


                      Hi Dustrho,

                      Well, what do you want the rule to do, exactly? And what about CDs that are read-only, what does your rule do with those?

                      And I am not sure, but the .inf file is not actually running anything, it is Explorer.exe and the embedded setup routines, specified within the .inf file. So, I am not sure what you may be blocking here. If you are simply stopping the creation of .inf files, that may help stop the spread from an already infected system.

                      Not sure, but simple is sometimes not so simple.

                      It is an interesting idea, but I would like some details before I would trust this solution.

                      Thanks, you have me thinking...
                      Ron Metzger
                      • 8. RE: Prevent autorun.inf on flash drives (8.5i or 8.7i)
                        dustrho
                        I could only assume that if you were to include the autorun.inf file in those two policies I mentioned earlier, that VirusScan would at the very least prevent that file from being read or executed. I understand that it's calling explorer.exe to open up a Windows Explorer box, but in order for that to happen the autorun.inf is read/exectured by the system. I haven't tested this yet, but it's something I've had on my "want to try" list.

                        I got bit bad by the W32/Sality virus about a year ago, and it kept spreading because of the autorun crap. Wish I had thought about trying that out then.
                        • 9. RE: Prevent autorun.inf on flash drives (8.5i or 8.7i)
                          rmetzger


                          Not sure it would have helped: Like I said, Autorun.Inf is not executed; the program specified within (usually setup.exe or the like) is executed, and maybe Explorer.exe which is actually running the .inf script. Even if you were able to block all Autorun.inf files from being read, you would need to do so with both Read and Write scanning (which I believe kills performance since there are anywhere between 4 to 8 reads for every write) and you would then block all CDs with Autorun.inf. How many support calls do you think this would generate.

                          Setting NoDriveTypeAutoRun registry value to 0x95 is far more selective and effective.

                          0x01 Disables AutoPlay on drives of unknown type
                          0x04 Disables AutoPlay on removable drives
                          0x10 Disables AutoPlay on network drives
                          0x80 Disables AutoPlay on drives of unknown type

                          Does this make any sense?
                          Ron Metzger
                          1 2 Previous Next