OZO
Premium
join:2003-01-17
| reply to mysec
Re: NoDriveTypeAutoRun and NoDriveAutoRun
Unfortunately you did not mention what was the data set for the value "NoDriveTypeAutoRun" in your last test. And this is important to interpret the test results.
I've repeated the test similar to yours (actually the same I've done before my post here) and here are my results:
--- With "NoDriveTypeAutoRun"=dword:ff
1) notepad.exe is not launched automatically when I insert CD/DVD with autorun.inf (see its content below)
2) notepad.exe is launched when I made click on My Computer | E: which is completely unexpected
3) notepad.exe may be started by clicking on replaced "Open" menu item (user doesn't want that)
4) notepad.exe may be started by clicking on replaced "Explore" menu item (user doesn't want that)
Cases #2 - 4 must be fixed by the developer of the OS !
--- With "NoDriveTypeAutoRun"=dword:91 (default for WXP2)
1) notepad.exe is launched automatically when I insert CD/DVD with autorun.inf (see its content below) - as expected.
The rest of results are the same as above.
Here is content of autorun.inf file:
Here is the picture:
AutoRun
In this test I was using only "NoDriveTypeAutoRun" value placed in this key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
I do not modify / use "NoDriveAutoRun" value.
And finally, because I do not block interpretation of autorun.inf file I'm able to see new drive label (see picture above), as well as its new icon (from notepad.exe in this case) and have all new menu items in context menu. Which is the way it should be.
--
Keep it simple, it'll become complex by itself... |
|
mysec
Premium
join:2005-11-29
| said by OZO  :Unfortunately you did not mention what was the data set for the value " NoDriveTypeAutoRun" in your last test. And this is important to interpret the test results.
Last test (4) - same as Test 2,3:
CD/DVD drive enabled, Removable Drives disabled in TweakUI, dword value = 95
I just now included this with the tests.
Other settings in TweakUI:
Both CD/DVD and Removable drives enabled, dword value = 91.
With CD/DVD disabled and Removable Drives enabled, dword value = b1
With both disabled, dword value = b5
|
|
OZO
Premium
join:2003-01-17 | Thanks |
|
mysec
Premium
join:2005-11-29
| reply to OZO
said by OZO :--- With "NoDriveTypeAutoRun"=dword:ff1) notepad.exe is not launched automatically when I insert CD/DVD with autorun.inf (see its content below) 2) notepad.exe is launched when I made click on My Computer | E: which is completely unexpected 3) notepad.exe may be started by clicking on replaced "Open" menu item (user doesn't want that) 4) notepad.exe may be started by clicking on replaced "Explore" menu item (user doesn't want that) Cases #2 - 4 must be fixed by the developer of the OS !
I disagree: The behavior you describe is by design so that the context menu can be customized by including Shell commands in the Autorun.inf file. I would not want that useful feature to be "fixed!"
----
rich |
|
OZO
Premium
join:2003-01-17
| There is no disagreement!
The behavior I've described is by design, so that the context menu can be customized by including Shell commands in the Autorun.inf file. I would not want that useful feature to be "discarded" as well. But, as you can see, I did emphasize the words "replaced" and did it for a purpose.
If a malware is able to replace two well known menu items that I've mentioned - user is in potential trouble. By clicking on those items user expects that drive will be opened/explored by WE. But, instead of that, what he may get is an unexpected execution of a program from removable media. Just simple like that. And that's dangerous.
That's why I said that the functionality must be fixed. There should be a protection from 'replacement' those well known menu items by autorun.inf file.
--
Keep it simple, it'll become complex by itself... |
|
mysec
Premium
join:2005-11-29
| said by OZO :There is no disagreement!... But, as you can see, I did emphasize the words " replaced" and did it for a purpose.
OK, I see your point.
By clicking on those items user expects that drive will be opened/explored by WE. But, instead of that, what he may get is an unexpected execution of a program from removable media. Just simple like that. And that's dangerous.
This is why White List protection will always prevent the unexpected execution of a program from any media or source. Simplest way is running as a Limited User. Other solutions involve security programs with Execution protection.
Other precautions when using unknown removable media:
1) Use TweakUI toggle the NoDriveAutorun setting for that drive. No Shell commands in the Autorun file will be executed.
2) Instead of clicking on the drive letter in My Computer, open to the drive in Windows Explorer, which is just a Tree View of My Computer. The contents of the drive highlighted in the left pane are displayed in the right pane. No right-context menu items are invoked.
You can create shortcuts to open to any directory/drive in Explorer View. Here, opening to D:\
%windir%\explorer.exe /e, D:\
The /e switch opens the drive in "expanded" or Tree View.
----
rich |
|
OZO
Premium
join:2003-01-17
| You're right - White List protection surely may help. As well as advice do not click on drive in My Computer, open to the drive in Windows Explorer instead. But not everyone runs a special program that supports a White List and not everyone remembers the rule - do not open a drive from My Computer, which may be a common practice (though personally I never do it, I respect others opinions who do it and why not). I'd call all of these - additional layers of protection.
My point here is if the basic layer is broken - it should be fixed first. And solution should be simple like marking one check box in Folder Options dialog box (see my picture below):
Folder Options - Autorun
--
Keep it simple, it'll become complex by itself... |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs: | reply to mysec
Sorry, can I back up a step? Tweak UI's NoDriveAutoRun seems to be as helpful as the "DoesNotExist" .reg file -- yet is does not require a reboot. Is that correct? Thanks. |
|
mysec
Premium
join:2005-11-29
1 edit | Yes - as noted here on WinXP SP1. |
|
