Blocking autorun in Security

Blocking autorun in Security http://www.dslreports.com/forum/r19412105 en Mon, 30 Nov 2009 01:59:35 EDT Mon, 30 Nov 2009 01:59:35 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19572719 mysec :

said by NickBrown

:

Yes, if you can find a way to tell Windows never to run an executable from (given types of) external media, that's great.

Several ways come to mind,

1) Software Restriction Policies

2) Run as Limited User

3) 3rd party execution prevention (White List) program

quote:
On our network, through, our mission is generally to restrict as little as possible.

I understand your dilemma, having worked in an educational setting (not quite as many computers as your network, though)

Some faculty computers had Anti-Executable installed (White List protection) where it could be quickly disabled when the user wanted to install something. When enabled, no executable not on the White List could download or install from the web (remote code execution) or any external media.

All lab computers have Deep Freeze.

----
rich]]> http://www.dslreports.com/forum/remark,19572719 Thu, 06 Dec 2007 02:37:38 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19572693 NickBrown :

said by mysec

quote:
At that point, Autorun.inf can run an executable, and AFAIK, that can not be blocked by any "official" means, at least in XP.

It seems to me that this is a no-threat on a computer that has execution protection.

Yes, if you can find a way to tell Windows never to run an executable from (given types of) external media, that's great. On our network, through, our mission is generally to restrict as little as possible. We agonised over the deployment of the "IniFileMapping" hack because people who want to install s/w from CD now need to explore the CD to find the setup program. Some sites have officially disabled USB storage altogether (but I'll bet money that the IT people and the VIPs in the executive suite have a workaround).]]> http://www.dslreports.com/forum/remark,19572693 Thu, 06 Dec 2007 02:29:20 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19572551 mysec : Hello Nick,

From your blog:

quote:
These worms pretty much all reproduce the same way, at least in terms of how they jump to and from PCs. They have an AUTORUN.INF file and an executable of some kind. When you put the stick in the PC, Windows finds AUTORUN.INF "automagically"... basically, the worm version will either run the executable immediately, or modify the Windows Explorer default behaviour so that the worm will run as soon as you open the stick by double-clicking on it. The executable will make a copy of itself...

And from your post above:

quote:
At that point, Autorun.inf can run an executable, and AFAIK, that can not be blocked by any "official" means, at least in XP.

It seems to me that this is a no-threat on a computer that has execution protection.

----
rich]]> http://www.dslreports.com/forum/remark,19572551 Thu, 06 Dec 2007 01:50:14 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19570166 NickBrown :

said by shearer

:

If I apply the tweak in OP's post, does it mean other tricks like tweaking Autorun=0 and NoDriveTypeRun keys are not necessary?

Probably. In any case, most of the other keys are per-user rather than per-PC, which is a pain, especially in a corporate environment with roaming profiles.]]> http://www.dslreports.com/forum/remark,19570166 Wed, 05 Dec 2007 18:53:20 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19570141 NickBrown : >could the user protect against folder deletion by making it
>and a file within it password protected with a 3rd party
>utility?

I'm not sure what this would mean. You're dealing with the file system (presumably FAT of some kind on a USB stick) directly here. When you place your stick into an arbitrary computer, you can't guarantee that the computer is running any given utility.

Most viruses are probably not smart enough to delete a directory called Autorun.inf as opposed to deleting or overwriting a file with the same name, because they are separate OS calls. And a directory with a file in it potentially requires a recursive tree delete, which is even more code. Of course, if my workaround becomes popular, that's what viruses will start to do.

However, the other day we came across a virus (not memory stick related) called PE_CORELINK.C which created three files, one in %SystemRoot% and two in %SystemRoot%\System32\Drivers. (It used what I call a pseudo-rootkit to hide from the Windows API, and this pseudo-rootkit was implemented via a boot-time driver.) Anyway, we were able to block it by creating directories of the same name as the files which it creates, but we also had to put NTFS permissions on them so that the user context (in which the virus runs) didn't even have read access. So this virus was able to delete directories. (I don't know if we checked what happened if we put a file in the directory instead of setting the permissions.)]]> http://www.dslreports.com/forum/remark,19570141 Wed, 05 Dec 2007 18:50:52 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19559571 shearer : If I apply the tweak in OP's post, does it mean other tricks like tweaking Autorun=0 and NoDriveTypeRun keys are not necessary?]]> http://www.dslreports.com/forum/remark,19559571 Tue, 04 Dec 2007 04:41:38 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19554205 EGeezer : Hi Nick,

Welcome to BBR, and thanks for the information and link! You have an interesting blog there.

In your follow-up tip where you create an autorun.inf folder and/or file, could the user protect against folder deletion by making it and a file within it password protected with a 3rd party utility? Seems that would prevent the hacker workaround, or at least make them have to add cracker code for the automated hack.
--
My Flickr Gallery]]> http://www.dslreports.com/forum/remark,19554205 Mon, 03 Dec 2007 11:41:05 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19553078 NickBrown : Hi,

As the co-discoverer of the "blocking Autorun.inf" hack, I'm interested to see how far it has spread. See my original blog article at »nick.brown.free.fr/blog/2007/10/···rms.html.

The key point is that Autorun.inf allows much more than just "this program runs when you insert the media". Specifically, it allows the right-click menu in Explorer to be changed, and by extension, the default behaviour when you double-click a folder. At that point, Autorun.inf can run an executable, and AFAIK, that can not be blocked by any "official" means, at least in XP.

Since we applied this registry hack to all of our 1800 PCs, our rate of memory stick worm infection has dropped from 2 or 3 per week, to zero.

(If you can't apply this hack for some reason, consider protecting the stick itself, using the trick described in the next blog article from the one mentioned above.)

Nick]]> http://www.dslreports.com/forum/remark,19553078 Mon, 03 Dec 2007 06:52:09 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19485582 planet :

said by WCB :
(launching an application without your interaction) can only work if the file resides on a CD/DVD or a media that emulates a CD media.

So, holding down the left shift key when inserting any removable media should prevent unwanted execution, correct?

And, thanks for a great read. I shift from being paranoid with this to not so paranoid. So far so good but ya never know.]]> http://www.dslreports.com/forum/remark,19485582 Wed, 21 Nov 2007 12:40:58 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19484142 norwegian : Not quite how to put this, but I was thinking, maybe this is an interestining thread on a topic that does need research.

With the minimal time to research at the moment, I am curious why that in the past 3 months, Autoplay seems to run randomly at times, in not quite a standard fashion meaning it will open a window when nothing is happening to my disk drives, floppy eetc.

Is this a trait to something new, or just miss handling of my protection? Broken drivers?

Otherwise, I have enjoyed some real info for a change. Almost what it used to be here once.

Thankyou.

Edit: Minor correction

.................
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke]]> http://www.dslreports.com/forum/remark,19484142 Wed, 21 Nov 2007 08:33:57 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19458630 anon : Another nice thing about Vista is that even if Autorun and Autoplay are enabled and you insert an infected device, Vista will ask you to approve any executable before running it. XP does not offer this protection. Since the OP was about Vista, the whole "auto anything" point is quite mute. If something executes upon insertion or clicking, just click "No", unless you were wanting or expecting an executable to infect your system with malware. That is why the "No" option in the prompt is available.]]> http://www.dslreports.com/forum/remark,19458630 Fri, 16 Nov 2007 20:03:55 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19457380 Sindows 7 : That should do it.

]]> http://www.dslreports.com/forum/remark,19457380 Fri, 16 Nov 2007 16:26:44 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19440860 Wildcatboy :

said by OZO

:

If you need to block autorun.ini from running on a temporary basis you do not need to run two reg files and make two relogins/restarts of WE in the process. Just press SHIFT key while you're inserting CD/DVD

True, but for some reason, I trust the reg file more than my finger on the shift key. :)

By the way, no restart is needed. I just click on the file and insert the CD/DVD.
--
You can catch the Devil, but you can't hold him long.]]> http://www.dslreports.com/forum/remark,19440860 Wed, 14 Nov 2007 06:09:02 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19438545 OZO : The value 0xB1 for registry value NoDriveTypeAutoRun placed into HKEY_LOCAL_MACHINE hive is working well (actually, as it should be from the beginning, IMHO). It will block autorun.ini from automatic execution, but still change/modify the drive label, show proper filesystem type (e.g. CDFS) in Properties dialog box and provide with AutoPlay item in right-click menu in WE (you will be able to execute it, if you need).

Wildcatboy

- thanks for sharing :)

said by Wildcatboy

:

... which is why I mentioned I kept the file on the desktop, only for when I need to insert an unknown and untrusted CD into the drive. In normal circumstances, I leave it enabled because I like the feature and I use it.

If you need to block autorun.ini from running on a temporary basis you do not need to run two reg files and make two relogins/restarts of WE in the process. Just press SHIFT key while you're inserting CD/DVD with autorun.ini and the file will be temporarily blocked from execution, yielding you the same result as using the registry value above.
--
Keep it simple, it'll become complex by itself...]]> http://www.dslreports.com/forum/remark,19438545 Tue, 13 Nov 2007 19:16:12 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19434288 Wildcatboy :

said by jmorlan

:

This setting also disables auto-insert notification so CDs will not refresh when a new CD is inserted, nor will they refresh when F5 is pressed.

Yes it does, which is why I mentioned I kept the file on the desktop, only for when I need to insert an unknown and untrusted CD into the drive. In normal circumstances, I leave it enabled because I like the feature and I use it.

OK, to answer the other questions as promised and to give you guys more ideas, here's another way around it.

Explorer uses the registry key
to determine which drive should or should not recognize AutoRun.

And this is how the value of NoDriveAutoRun is set. A little complicated but bear with me. There are several drive types and each has a bitmask and a Decimal / Hex value as follows:

Now, the base value is 128 and by default, in Windows 9x, bits 0, 2, 4 and 7 are already set. (Bit 7 is reserved for future drive types hence the base value of 128). So you have

128+1+4+16=149 = Hex 95

This disables AutoRun function for DRIVE_UNKNOWN, DRIVE_REMOVEABLE, and DRIVE_REMOTE (Network drives) by default.

In Windows XP AutoRun is enabled for DRIVE_REMOVABLE (Floppy, etc...) So You take the value of bit 2 (4) off of 149, which gives you 145 or Hex 91. I believe that's the default value in XP.

If you want to Disable AutoRun for DRIVE_CDROM, just add 32.

145+32=177 Hex=B1

I could have just told you to set the value to 177 but that would have been too easy and you wouldn't know why. :) Now you can also experiment by adding or removing numbers to enable or disable AutoRun for other kinds of drives that you might have.

It will not affect MCN and your CD/DVD is still recognized each time you insert a new one, however the AutoPlay won't work and your CDs and DVDs won't start automatically.

Disclaimer: I don't have a CD with autorun.inf handy at the moment to test it but the method should work. Give it a try if you like and let us all know how it goes.

--
You can catch the Devil, but you can't hold him long.]]> http://www.dslreports.com/forum/remark,19434288 Tue, 13 Nov 2007 03:31:53 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19434152 hpguru :

said by Wildcatboy

:

You don't need a software to stop Autorun. I have a .reg file on my desktop like this:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun"=dword:00000000

Copy it to notepad, rename it to whatever.reg. In my case Autorun.reg

If I need to insert a CD or DVD, I just double click it. Autorun is disabled, insert the CD, examine it and if it's OK, I just change the dword to dword:00000001 , save the file and double-click it again. Autorun is enabled again.

As for disabling AutoRun for USB media, I really see no reason for it. I use the Autorun.inf extensively on my USB stick to create right click menus, have TrueCrypt automatically start and ask for password, etc...

The only USB media that gets connected to my laptop is mine, so what's the point?

This is one solution, albeit a very good one. Another is Sofware Restriction Policy in whitelist mode. In your case you could create hash rules for TrueCrypt and any other programs you wish to run from your USB stick or other removable media and this would save you from having to reenable autorun every time you use those programs. Leave it enabled. Only the programs you have authorized will run.
--
Christianity: A cannibalistic blood cult based upon the human blood sacrifice of a virgin male. It teaches you must eat the flesh and drink the blood of the virgin to be saved.]]> http://www.dslreports.com/forum/remark,19434152 Tue, 13 Nov 2007 02:30:13 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19433995 OZO : That's exactly right. Setting AutoRun=0 blocks the Media Change Notification (MCN) message. Unfortunately with the bad design of this feature in Windows it leads to:
• WE doesn't change icon and title (lable) on the drive. It doesn't matter how many times I press F5 to refresh the drive...
• Properties box shows: File system: Unknown instead of e.g. CDFS
• Context menu on the drive (right click menu) does not show AutoPlay item (which is not important)

I do not see any reason why Windows can't read and show disk label and its file system without executing Autorun.inf file... It doesn't put computer into any risk (in comparison of execution a program from that unknown CD/DVD).

As jmorlan

has mentioned - it took a lot of time for me as well to find out why my drive stopped to show its label when I insert a CD/DVD into it. AutoRun = 0 was a culprit.

Thus, with current design, I need to keep MCN going in order to enable refreshing of icon and title on the drive, while I need to disable just one particular feature - executing autorun.ini (which may start automatic execution of a program from the media). BTW, AutoPlay is not a problem here - it runs my local program, which doesn't contain any viruses/spyware etc.

And it looks like the solution to put a fake path with "Autorun.inf" in "IniFileMapping" key is working so far. The only side effect is - when I insert CD/DVD it opens extra WE window for that drive (which I do not ask to), but it's a minor problem...
--
Keep it simple, it'll become complex by itself...]]> http://www.dslreports.com/forum/remark,19433995 Tue, 13 Nov 2007 01:34:03 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19433869 TE :

said by jmorlan

:

This setting also disables auto-insert notification so CDs will not refresh when a new CD is inserted, nor will they refresh when F5 is pressed. It took quite a while for me to figure out why explorer was showing the contents of the previous CD after a new one had been inserted.

OT - Reminds me of what we use to do to new techs in the department. We would cut pin 34 (DSKCHG) on the floppy cable/drive and see how long it would take them to troubleshoot and repair. ]]> http://www.dslreports.com/forum/remark,19433869 Tue, 13 Nov 2007 01:03:19 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19433822 jmorlan :

said by Wildcatboy

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun"=dword:00000000

Copy it to notepad, rename it to whatever.reg. In my case Autorun.reg

This setting also disables auto-insert notification so CDs will not refresh when a new CD is inserted, nor will they refresh when F5 is pressed. It took quite a while for me to figure out why explorer was showing the contents of the previous CD after a new one had been inserted.

For this reason I leave that registry key set to "1" and disable autorun for individual drives using TweakUI. This leaves auto-insert notification functional while disabling autorun for those drives.
]]> http://www.dslreports.com/forum/remark,19433822 Tue, 13 Nov 2007 00:50:35 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19432104 EGeezer : Interesting topic here: »Trojan Found In New HDs Sold In Taiwan
--
My Flickr Gallery]]> http://www.dslreports.com/forum/remark,19432104 Mon, 12 Nov 2007 20:27:49 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19429785 Wildcatboy :
OK, here's the situation. We have an article written by someone who doesn't have a clear understanding of how things work, creating unnecessary panic among those who are unclear about how things work. :) Let's see if I can help.

said by EGeezer

:

WCB, thanks for the registry tweak! Unfortunately, unlike yourself, others may use a PC and want to do things like store documents, run portable apps etc.

I do all of that. In fact I do nothing but. :)

I think instead of answering your questions one by one, I should first explain how things work when it comes to autorun.inf. Once you know a bit more about that, you may not care about some of those questions.

autorun.inf was designed to be included on CDs. Sure, it does work on just about any kind of drive, including your hard drive and even mapped Network drives, if you know how to get it to work, but what you're afraid of (launching an application without your interaction) can only work if the file resides on a CD/DVD or a media that emulates a CD media. In other words almost every command in autorun.inf works on a USB drive except

Open=whatever.exe

unless it is accompanied by:

Action=Whatever

in which case you'll get the AutoPlay pop up, asking you whether you want to run it using "whatever". It's not going to be automatic.

Now, I'm sure someone is going to show up and say they have a USB drive with autorun.inf that actually does run an application automatically. The answer is yes, however all those USB drives have two partitions, a large one formatted as FAT and a tiny one formatted as CDFS. Windows reads the CDFS partition, assumes it's a CD and then runs the autorun.inf which resides on that partition.

Now if your USB drive doesn't have one of those partitions, you have nothing to worry about. I highly doubt anyone would go through the expense of handing out USB sticks just so they can get you to run their virus, when emailing you the virus would be much easier and far cheaper. Besides, once the partition emulates a CD, Windows thinks of it as a CD and the tweak I mentioned would apply, which means no luck for Autorun.

Now, I guess the answer is clear as to why the tweak I provided, would only work for CD/DVD drives and ignores the rest. And to answer one of your questions, no, limited user accounts can't modify the registry but then again, neither can the virus they're going to try to run. There's probably a way around it by modifying the permissions on your registry keys to get it to work for your limited users but the dangers of doing that wrong, far outweigh not doing it at all.

Remember, even the infamous Sony DRM Rootkit wouldn't affect the limited user accounts. Power users are a different beast altogether. Don't use them.

Your last question, I can't really answer. I can tell you about security but when it comes to security apps, I can't be of much help as I hardly use or look for them. I doubt there's one that would do what you're asking but what do I know. :)

Now, there's more I should tell you to help answer your other questions but that requires another long post. I promise to do that a bit later.
--
You can catch the Devil, but you can't hold him long.]]> http://www.dslreports.com/forum/remark,19429785 Mon, 12 Nov 2007 14:23:57 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19428944 EGeezer : WCB, thanks for the registry tweak! Unfortunately, unlike yourself, others may use a PC and want to do things like store documents, run portable apps etc. The possibility of an infected drive being unintentionally connected is a real issue with many people.

Some questions, hope somebody can provide solutions;

1) Will this tweak be permitted by the OS when a limited user is logged onto the machine?

1) Would this work for USB attached drives? If so, what reg entry would disable autorun for flash drives while not messing up other attached drives or devices?

2) Would such a registry tweak cause problems if the flash (or external CD) drive were inserted in a different port on the PC, or other drives are also attached?

3) The reg tweak looks good for the CD drive, I wonder if there could be a little program with a radio button to make the registry changes. Assuming a limited or power user could use it, an "enable/disable" button might be handy.

Lots of good feedback to the article - thanks all!
--
My Flickr Gallery]]> http://www.dslreports.com/forum/remark,19428944 Mon, 12 Nov 2007 12:12:45 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19428276 Wildcatboy :
Not recommended. Messing with that list may cause your CD-ROM drives to stop working properly.
--
You can catch the Devil, but you can't hold him long.]]> http://www.dslreports.com/forum/remark,19428276 Mon, 12 Nov 2007 10:37:02 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19428120 anon :

So what if I add my CD rom model to this list?

like so...

]]> http://www.dslreports.com/forum/remark,19428120 Mon, 12 Nov 2007 10:08:18 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19427459 Wildcatboy :
You don't need a software to stop Autorun. I have a .reg file on my desktop like this:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun"=dword:00000000

said by Wildcatboy

:

Microsoft introduced the AutoRun specification in Windows 95. AutoPlay is as new as XP. AutoRun worked long before AutoPlay even existed. What makes you think disabling AutoPlay would or should disable AutoRun?

I've got "something" like AutoPlay in Windows 95. It is only changeable when Tweak UI is installed or by editing the Registry.

[att=1][att=2][att=3]

Where does AIN (Auto Insert Notification) come in? I kill that and it stops Windows from even seeing a CD/DVD insert event. I know to F5 or Refresh to see the change.

[att=4]

AutoRun, Auto insert, and AutoPlay
»www.base40.com/cdtTipAutoRun.htm

Regards,

Doctor Olds
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time?

Tweak UI on Windows 95
Tweak UI on Windows 95
Tweak UI on Windows 95
AIN checkbox under Hardware Manager

]]> http://www.dslreports.com/forum/remark,19427384 Mon, 12 Nov 2007 04:26:02 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19426742 Wildcatboy :
It seems that a lot of people, including a few in this thread, not to mention the author of the article, mix up AutoPlay and AutoRun. They are not the same.

said by EGeezer

:

It seems that disabling autoplay through Explorer doesn't prevent autoplay from working in all cases.

Not entirely true, disabling it should disable AutoPlay but it won't disable AutoRun, which should be obvious.

said by newsletter :

I was able in just a few minutes to make an AutoRun file that would run, even with AutoPlay disabled in XP and "take no action" selected in Vista.

Of course he was. Disabling AutoPlay has nothing to do with AutoRun. It's not an exploit. It's a feature.

Microsoft introduced the AutoRun specification in Windows 95. AutoPlay is as new as XP. AutoRun worked long before AutoPlay even existed. What makes you think disabling AutoPlay would or should disable AutoRun?
--
You can catch the Devil, but you can't hold him long.]]> http://www.dslreports.com/forum/remark,19426742 Mon, 12 Nov 2007 00:07:09 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19425797 EGeezer :

said by brianiscool

:

Easy create your own snap-in security scope.

Now that little gem gets the "most helpful" trophy.. :D :D :D

Did you ever remember what that admin password was? ;)
--
My Flickr Gallery]]> http://www.dslreports.com/forum/remark,19425797 Sun, 11 Nov 2007 21:13:27 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19425622 brianiscool : Easy create your own snap-in security scope.]]> http://www.dslreports.com/forum/remark,19425622 Sun, 11 Nov 2007 20:45:26 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19422422 Doctor Olds :

said by Anon Name :

As long as it doesn't screw-up the Vista built-in burning and CD sessions, Vista works good that way.

Please read the article as you have been politely asked already. Auto Runs has absolutely NOTHING to do with CD Burning.
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time?]]> http://www.dslreports.com/forum/remark,19422422 Sun, 11 Nov 2007 08:34:00 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19422365 HA Nut : As the article notes (and I noticed some time ago), that even with autoplay defeated, if you double clicked a CD's drive's icon, it often fired up something via autoplay. What I do now is to right click and choose Explore instead of Open.

That said, it's nice to know how to permanently block autoplay... :)]]> http://www.dslreports.com/forum/remark,19422365 Sun, 11 Nov 2007 08:02:59 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19422193 anon : Is that for SONY rootkits or what?
I'd be the weakest link with CD security.
I burn back-ups of my OS and insert blank media for burning.
I wouldn't dare put a AOL FREE disk or some trash like that, but I guess.....
As long as it doesn't screw-up the Vista built-in burning and CD sessions, Vista works good that way.]]> http://www.dslreports.com/forum/remark,19422193 Sun, 11 Nov 2007 05:38:04 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19422184 Cudni : read the bit about the exploit in the 1st post

Cudni]]> http://www.dslreports.com/forum/remark,19422184 Sun, 11 Nov 2007 05:28:27 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19422017 anon : Why not just do this?

]]> http://www.dslreports.com/forum/remark,19422017 Sun, 11 Nov 2007 02:57:34 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19421977 mysec : For those interested a less complicated solution for preventing autoruns installing programs:
any program with execution protection will do the job.

I find this useful on family computers, where the parents control the installation of programs.

Some tests:

»www.urs2.net/rsj/computing/tests/autorun/

edit: spelling

----
rich]]> http://www.dslreports.com/forum/remark,19421977 Sun, 11 Nov 2007 02:29:41 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19412237 EGeezer : It's worth a post to note a nice little tutorial on autorun that was referenced and linked in the article. It tells how to tweak the autorun.inf file on a USB drive;
see here.
--
My Flickr Gallery]]> http://www.dslreports.com/forum/remark,19412237 Fri, 09 Nov 2007 12:01:17 EDT Re: Blocking autorun http://www.dslreports.com/forum/remark,19412129 Cudni : Useful to know. Thank you :)

Cudni]]> http://www.dslreports.com/forum/remark,19412129 Fri, 09 Nov 2007 11:41:06 EDT Blocking autorun http://www.dslreports.com/forum/remark,19412105 EGeezer : Scott Dunn and Fred Langa's newsletter had a handy article on preventing autoruns from executing on media inserted or attached to a PC. It seems that disabling autoplay through Explorer doesn't prevent autoplay from working in all cases. Scott has a registry entry that supposedly closes the vulnerability.

said by newsletter :

I was able in just a few minutes to make an AutoRun file that would run, even with AutoPlay disabled in XP and "take no action" selected in Vista.

... The exploit involves creating an autorun.inf file that adds a new default command to a USB flash drive's context menu. If you have "take no action" selected in Vista, the flash drive doesn't automatically launch any programs when first inserted. But double-clicking the flash drive icon in My Computer, for example, is all it takes to launch whatever commands are in autorun.inf (which the attacker has made the default command, in place of Open). ...

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Link to full article and instructions here.
--
My Flickr Gallery]]> http://www.dslreports.com/forum/remark,19412105 Fri, 09 Nov 2007 11:36:38 EDT