how-to block ads
|
|  | | | mysec
Premium
join:2005-11-29
1 edit | For those interested a less complicated solution for preventing autoruns installing programs:
any program with execution protection will do the job.
I find this useful on family computers, where the parents control the installation of programs.
Some tests:
»www.urs2.net/rsj/computing/tests/autorun/
edit: spelling
----
rich | |
| | | 
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | Re: Blocking autorun read the bit about the exploit in the 1st post
Cudni | |
| 
Anon Name
@telus.net
| Is that for SONY rootkits or what?
I'd be the weakest link with CD security.
I burn back-ups of my OS and insert blank media for burning.
I wouldn't dare put a AOL FREE disk or some trash like that, but I guess.....
As long as it doesn't screw-up the Vista built-in burning and CD sessions, Vista works good that way. | |
| | | 
HA Nut
Premium
join:2004-05-13
USA
| As the article notes (and I noticed some time ago), that even with autoplay defeated, if you double clicked a CD's drive's icon, it often fired up something via autoplay. What I do now is to right click and choose Explore instead of Open.
That said, it's nice to know how to permanently block autoplay...  | |
| brianiscool
join:2000-08-16
Miami, FL | Easy create your own snap-in security scope. | |
| | | 
Wildcatboy
Premium,Mod
join:2000-10-30
Toronto, ON
Host:
Security Product V..
Security
1 edit |
It seems that a lot of people, including a few in this thread, not to mention the author of the article, mix up AutoPlay and AutoRun. They are not the same.
said by EGeezer  :It seems that disabling autoplay through Explorer doesn't prevent autoplay from working in all cases. Not entirely true, disabling it should disable AutoPlay but it won't disable AutoRun, which should be obvious.
said by newsletter :
I was able in just a few minutes to make an AutoRun file that would run, even with AutoPlay disabled in XP and "take no action" selected in Vista.
Of course he was. Disabling AutoPlay has nothing to do with AutoRun. It's not an exploit. It's a feature.
Microsoft introduced the AutoRun specification in Windows 95. AutoPlay is as new as XP. AutoRun worked long before AutoPlay even existed. What makes you think disabling AutoPlay would or should disable AutoRun?
--
You can catch the Devil, but you can't hold him long. | |
| | |
Wildcatboy
Premium,Mod
join:2000-10-30
Toronto, ON
Host:
Security Product V..
Security
|
You don't need a software to stop Autorun. I have a .reg file on my desktop like this:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun"=dword:00000000
Copy it to notepad, rename it to whatever.reg. In my case Autorun.reg
If I need to insert a CD or DVD, I just double click it. Autorun is disabled, insert the CD, examine it and if it's OK, I just change the dword to dword:00000001 , save the file and double-click it again. Autorun is enabled again.
As for disabling AutoRun for USB media, I really see no reason for it. I use the Autorun.inf extensively on my USB stick to create right click menus, have TrueCrypt automatically start and ask for password, etc...
The only USB media that gets connected to my laptop is mine, so what's the point?
--
You can catch the Devil, but you can't hold him long. | |
| | | | |
Wildcatboy
Premium,Mod
join:2000-10-30
Toronto, ON
Host:
Security Product V..
Security
| Re: Blocking autorunOK, here's the situation. We have an article written by someone who doesn't have a clear understanding of how things work, creating unnecessary panic among those who are unclear about how things work. Let's see if I can help.
said by EGeezer :WCB, thanks for the registry tweak! Unfortunately, unlike yourself, others may use a PC and want to do things like store documents, run portable apps etc. I do all of that. In fact I do nothing but.
I think instead of answering your questions one by one, I should first explain how things work when it comes to autorun.inf. Once you know a bit more about that, you may not care about some of those questions.
autorun.inf was designed to be included on CDs. Sure, it does work on just about any kind of drive, including your hard drive and even mapped Network drives, if you know how to get it to work, but what you're afraid of (launching an application without your interaction) can only work if the file resides on a CD/DVD or a media that emulates a CD media. In other words almost every command in autorun.inf works on a USB drive except
Open=whatever.exe
unless it is accompanied by:
Action=Whatever
in which case you'll get the AutoPlay pop up, asking you whether you want to run it using "whatever". It's not going to be automatic.
Now, I'm sure someone is going to show up and say they have a USB drive with autorun.inf that actually does run an application automatically. The answer is yes, however all those USB drives have two partitions, a large one formatted as FAT and a tiny one formatted as CDFS. Windows reads the CDFS partition, assumes it's a CD and then runs the autorun.inf which resides on that partition.
Now if your USB drive doesn't have one of those partitions, you have nothing to worry about. I highly doubt anyone would go through the expense of handing out USB sticks just so they can get you to run their virus, when emailing you the virus would be much easier and far cheaper. Besides, once the partition emulates a CD, Windows thinks of it as a CD and the tweak I mentioned would apply, which means no luck for Autorun.
Now, I guess the answer is clear as to why the tweak I provided, would only work for CD/DVD drives and ignores the rest. And to answer one of your questions, no, limited user accounts can't modify the registry but then again, neither can the virus they're going to try to run. There's probably a way around it by modifying the permissions on your registry keys to get it to work for your limited users but the dangers of doing that wrong, far outweigh not doing it at all.
Remember, even the infamous Sony DRM Rootkit wouldn't affect the limited user accounts. Power users are a different beast altogether. Don't use them.
Your last question, I can't really answer. I can tell you about security but when it comes to security apps, I can't be of much help as I hardly use or look for them. I doubt there's one that would do what you're asking but what do I know.
Now, there's more I should tell you to help answer your other questions but that requires another long post. I promise to do that a bit later.
--
You can catch the Devil, but you can't hold him long. | |
| | | | | | 
jmorlan
Hmm... That's funny.
Premium
join:2001-02-05
Pacifica, CA
 ·Pacific Bell - SBC
| said by Wildcatboy :Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun"=dword:00000000
Copy it to notepad, rename it to whatever.reg. In my case Autorun.reg This setting also disables auto-insert notification so CDs will not refresh when a new CD is inserted, nor will they refresh when F5 is pressed. It took quite a while for me to figure out why explorer was showing the contents of the previous CD after a new one had been inserted.
For this reason I leave that registry key set to "1" and disable autorun for individual drives using TweakUI. This leaves auto-insert notification functional while disabling autorun for those drives.
| |
| | | 
TE
I must crunch
join:2006-05-07
Brea, CA
clubs:
| Re: Blocking autorun said by jmorlan :This setting also disables auto-insert notification so CDs will not refresh when a new CD is inserted, nor will they refresh when F5 is pressed. It took quite a while for me to figure out why explorer was showing the contents of the previous CD after a new one had been inserted. OT - Reminds me of what we use to do to new techs in the department. We would cut pin 34 (DSKCHG) on the floppy cable/drive and see how long it would take them to troubleshoot and repair. | |
| | | OZO
Premium
join:2003-01-17
1 edit | That's exactly right. Setting AutoRun=0 blocks the Media Change Notification (MCN) message. Unfortunately with the bad design of this feature in Windows it leads to:
• WE doesn't change icon and title (lable) on the drive. It doesn't matter how many times I press F5 to refresh the drive...
• Properties box shows: File system: Unknown instead of e.g. CDFS
• Context menu on the drive (right click menu) does not show AutoPlay item (which is not important)
I do not see any reason why Windows can't read and show disk label and its file system without executing Autorun.inf file... It doesn't put computer into any risk (in comparison of execution a program from that unknown CD/DVD).
As jmorlan has mentioned - it took a lot of time for me as well to find out why my drive stopped to show its label when I insert a CD/DVD into it. AutoRun = 0 was a culprit.
Thus, with current design, I need to keep MCN going in order to enable refreshing of icon and title on the drive, while I need to disable just one particular feature - executing autorun.ini (which may start automatic execution of a program from the media). BTW, AutoPlay is not a problem here - it runs my local program, which doesn't contain any viruses/spyware etc.
And it looks like the solution to put a fake path with "Autorun.inf" in "IniFileMapping" key is working so far. The only side effect is - when I insert CD/DVD it opens extra WE window for that drive (which I do not ask to), but it's a minor problem...
--
Keep it simple, it'll become complex by itself... | |
| | 
hpguru
Curb Your Dogma
Premium
join:2002-04-12
| said by Wildcatboy :You don't need a software to stop Autorun. I have a .reg file on my desktop like this: Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun"=dword:00000000
Copy it to notepad, rename it to whatever.reg. In my case Autorun.reg If I need to insert a CD or DVD, I just double click it. Autorun is disabled, insert the CD, examine it and if it's OK, I just change the dword to dword:00000001 , save the file and double-click it again. Autorun is enabled again. As for disabling AutoRun for USB media, I really see no reason for it. I use the Autorun.inf extensively on my USB stick to create right click menus, have TrueCrypt automatically start and ask for password, etc... The only USB media that gets connected to my laptop is mine, so what's the point?
This is one solution, albeit a very good one. Another is Sofware Restriction Policy in whitelist mode. In your case you could create hash rules for TrueCrypt and any other programs you wish to run from your USB stick or other removable media and this would save you from having to reenable autorun every time you use those programs. Leave it enabled. Only the programs you have authorized will run.
--
Christianity: A cannibalistic blood cult based upon the human blood sacrifice of a virgin male. It teaches you must eat the flesh and drink the blood of the virgin to be saved. | |
| | | |
Wildcatboy
Premium,Mod
join:2000-10-30
Toronto, ON
Host:
Security Product V..
Security
|
said by jmorlan :This setting also disables auto-insert notification so CDs will not refresh when a new CD is inserted, nor will they refresh when F5 is pressed. Yes it does, which is why I mentioned I kept the file on the desktop, only for when I need to insert an unknown and untrusted CD into the drive. In normal circumstances, I leave it enabled because I like the feature and I use it.
OK, to answer the other questions as promised and to give you guys more ideas, here's another way around it.
Explorer uses the registry key
to determine which drive should or should not recognize AutoRun.
And this is how the value of NoDriveAutoRun is set. A little complicated but bear with me. There are several drive types and each has a bitmask and a Decimal / Hex value as follows:
Now, the base value is 128 and by default, in Windows 9x, bits 0, 2, 4 and 7 are already set. (Bit 7 is reserved for future drive types hence the base value of 128). So you have
128+1+4+16=149 = Hex 95
This disables AutoRun function for DRIVE_UNKNOWN, DRIVE_REMOVEABLE, and DRIVE_REMOTE (Network drives) by default.
In Windows XP AutoRun is enabled for DRIVE_REMOVABLE (Floppy, etc...) So You take the value of bit 2 (4) off of 149, which gives you 145 or Hex 91. I believe that's the default value in XP.
If you want to Disable AutoRun for DRIVE_CDROM, just add 32.
145+32=177 Hex=B1
I could have just told you to set the value to 177 but that would have been too easy and you wouldn't know why. :) Now you can also experiment by adding or removing numbers to enable or disable AutoRun for other kinds of drives that you might have.
It will not affect MCN and your CD/DVD is still recognized each time you insert a new one, however the AutoPlay won't work and your CDs and DVDs won't start automatically.
Disclaimer: I don't have a CD with autorun.inf handy at the moment to test it but the method should work. Give it a try if you like and let us all know how it goes.
--
You can catch the Devil, but you can't hold him long. | |
| | OZO
Premium
join:2003-01-17
| Re: Blocking autorun The value 0xB1 for registry value NoDriveTypeAutoRun placed into HKEY_LOCAL_MACHINE hive is working well (actually, as it should be from the beginning, IMHO). It will block autorun.ini from automatic execution, but still change/modify the drive label, show proper filesystem type (e.g. CDFS) in Properties dialog box and provide with AutoPlay item in right-click menu in WE (you will be able to execute it, if you need).
Wildcatboy - thanks for sharing
said by Wildcatboy :... which is why I mentioned I kept the file on the desktop, only for when I need to insert an unknown and untrusted CD into the drive. In normal circumstances, I leave it enabled because I like the feature and I use it. If you need to block autorun.ini from running on a temporary basis you do not need to run two reg files and make two relogins/restarts of WE in the process. Just press SHIFT key while you're inserting CD/DVD with autorun.ini and the file will be temporarily blocked from execution, yielding you the same result as using the registry value above.
--
Keep it simple, it'll become complex by itself... | |
| | |
Wildcatboy
Premium,Mod
join:2000-10-30
Toronto, ON
Host:
Security Product V..
Security
| Re: Blocking autorun said by OZO :If you need to block autorun.ini from running on a temporary basis you do not need to run two reg files and make two relogins/restarts of WE in the process. Just press SHIFT key while you're inserting CD/DVD True, but for some reason, I trust the reg file more than my finger on the shift key.
By the way, no restart is needed. I just click on the file and insert the CD/DVD.
--
You can catch the Devil, but you can't hold him long. | |
| 
Sindows 7
join:2006-09-13
Hope, BC
| That should do it. | |
|
DRM Killler
@rr.com
| Another nice thing about Vista is that even if Autorun and Autoplay are enabled and you insert an infected device, Vista will ask you to approve any executable before running it. XP does not offer this protection. Since the OP was about Vista, the whole "auto anything" point is quite mute. If something executes upon insertion or clicking, just click "No", unless you were wanting or expecting an executable to infect your system with malware. That is why the "No" option in the prompt is available. | |
| 
norwegian
Premium
join:2005-02-15
Outback
·WestNet Broadband
1 edit | Not quite how to put this, but I was thinking, maybe this is an interestining thread on a topic that does need research.
With the minimal time to research at the moment, I am curious why that in the past 3 months, Autoplay seems to run randomly at times, in not quite a standard fashion meaning it will open a window when nothing is happening to my disk drives, floppy eetc.
Is this a trait to something new, or just miss handling of my protection? Broken drivers?
Otherwise, I have enjoyed some real info for a change. Almost what it used to be here once.
Thankyou.
Edit: Minor correction
.................
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke | |
| | 
planet
join:2001-11-05
Olmsted Falls, OH
 ·Cox HSI
| Re: Blocking autorun said by WCB :
(launching an application without your interaction) can only work if the file resides on a CD/DVD or a media that emulates a CD media.
So, holding down the left shift key when inserting any removable media should prevent unwanted execution, correct?
And, thanks for a great read. I shift from being paranoid with this to not so paranoid. So far so good but ya never know. | |
| NickBrown
join:2007-12-03
| Hi,
As the co-discoverer of the "blocking Autorun.inf" hack, I'm interested to see how far it has spread. See my original blog article at »nick.brown.free.fr/blog/2007/10/···rms.html.
The key point is that Autorun.inf allows much more than just "this program runs when you insert the media". Specifically, it allows the right-click menu in Explorer to be changed, and by extension, the default behaviour when you double-click a folder. At that point, Autorun.inf can run an executable, and AFAIK, that can not be blocked by any "official" means, at least in XP.
Since we applied this registry hack to all of our 1800 PCs, our rate of memory stick worm infection has dropped from 2 or 3 per week, to zero.
(If you can't apply this hack for some reason, consider protecting the stick itself, using the trick described in the next blog article from the one mentioned above.)
Nick | |
| | | | | NickBrown
join:2007-12-03
1 edit | Re: Blocking autorun >could the user protect against folder deletion by making it
>and a file within it password protected with a 3rd party
>utility?
I'm not sure what this would mean. You're dealing with the file system (presumably FAT of some kind on a USB stick) directly here. When you place your stick into an arbitrary computer, you can't guarantee that the computer is running any given utility.
Most viruses are probably not smart enough to delete a directory called Autorun.inf as opposed to deleting or overwriting a file with the same name, because they are separate OS calls. And a directory with a file in it potentially requires a recursive tree delete, which is even more code. Of course, if my workaround becomes popular, that's what viruses will start to do.
However, the other day we came across a virus (not memory stick related) called PE_CORELINK.C which created three files, one in %SystemRoot% and two in %SystemRoot%\System32\Drivers. (It used what I call a pseudo-rootkit to hide from the Windows API, and this pseudo-rootkit was implemented via a boot-time driver.) Anyway, we were able to block it by creating directories of the same name as the files which it creates, but we also had to put NTFS permissions on them so that the user context (in which the virus runs) didn't even have read access. So this virus was able to delete directories. (I don't know if we checked what happened if we put a file in the directory instead of setting the permissions.) | |
| 
shearer
Northern Lights
Premium
join:2002-06-18
Toronto, ON
clubs: | If I apply the tweak in OP's post, does it mean other tricks like tweaking Autorun=0 and NoDriveTypeRun keys are not necessary? | |
| | NickBrown
join:2007-12-03
| Re: Blocking autorun said by shearer :If I apply the tweak in OP's post, does it mean other tricks like tweaking Autorun=0 and NoDriveTypeRun keys are not necessary? Probably. In any case, most of the other keys are per-user rather than per-PC, which is a pain, especially in a corporate environment with roaming profiles. | |
| | | mysec
Premium
join:2005-11-29
3 edits | Re: Blocking autorun Hello Nick,
From your blog:
quote:
These worms pretty much all reproduce the same way, at least in terms of how they jump to and from PCs. They have an AUTORUN.INF file and an executable of some kind. When you put the stick in the PC, Windows finds AUTORUN.INF "automagically"... basically, the worm version will either run the executable immediately, or modify the Windows Explorer default behaviour so that the worm will run as soon as you open the stick by double-clicking on it. The executable will make a copy of itself...
And from your post above:
quote:
At that point, Autorun.inf can run an executable, and AFAIK, that can not be blocked by any "official" means, at least in XP.
It seems to me that this is a no-threat on a computer that has execution protection.
----
rich | |
| | | | NickBrown
join:2007-12-03
| Re: Blocking autorun said by mysec : quote:
At that point, Autorun.inf can run an executable, and AFAIK, that can not be blocked by any "official" means, at least in XP.
It seems to me that this is a no-threat on a computer that has execution protection. Yes, if you can find a way to tell Windows never to run an executable from (given types of) external media, that's great. On our network, through, our mission is generally to restrict as little as possible. We agonised over the deployment of the "IniFileMapping" hack because people who want to install s/w from CD now need to explore the CD to find the setup program. Some sites have officially disabled USB storage altogether (but I'll bet money that the IT people and the VIPs in the executive suite have a workaround). | |
| | | | | mysec
Premium
join:2005-11-29
| Re: Blocking autorun said by NickBrown :Yes, if you can find a way to tell Windows never to run an executable from (given types of) external media, that's great.
Several ways come to mind,
1) Software Restriction Policies
2) Run as Limited User
3) 3rd party execution prevention (White List) program
quote:
On our network, through, our mission is generally to restrict as little as possible.
I understand your dilemma, having worked in an educational setting (not quite as many computers as your network, though)
Some faculty computers had Anti-Executable installed (White List protection) where it could be quickly disabled when the user wanted to install something. When enabled, no executable not on the White List could download or install from the web (remote code execution) or any external media.
All lab computers have Deep Freeze.
----
rich | |
| | | |
|
·
Blocking autorun
Re: Blocking autorun
from:
