Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
 ·Verizon Online DSL
1 edit | reply to mysec
Re: Disabling 'Autorun' on USB and beyond. Need help.
said by mysec  :My conclusions: ... 2) TweakUI to disable the drive if you want to prevent the drive from executing the AutoRun.inf file. ... Question: do you or anyone else know for sure if the TweakUI settings persist in spite of the MountPoints2 key possibly over-riding various Windows settings, as Nick Brown noted in EGeezer 's »Blocking autorun link and Scott Dunn referred to in Shriyash 's »windowssecrets.com/comp/071108 link? I've got a friend in a 3rd-World country who's wrestling right now to protect against USB-drive malware that keeps appearing on flashdrives being exchanged with government ministries... govt malware protection is virtually non-existent there. Some of these drives pass back and forth multiple times, so if MountPoints2 stored data over-rides other settings and allows autorun.inf to run on a USB drive that's been plugged into their computer before, that presents a real threat to using TweakUI or similar in that locale. Using the IniFileMapping\AutoRun.inf reg-fix EGeezer noted above would probably be their only simple answer... but I'd really like to know for sure.
--
If God wanted us to work with electrons, He'd make them big enough to see... |
|
mysec
Premium
join:2005-11-29
2 edits | I read both the article and blog when they appeared.
Nick refers to the NoDriveTypeAutoRun key but not the NoDriveAutoRun key.
I've tested with the latter and have not found it to be overridden.
Regarding your friend: is he concerned about his own computer, or government computers?
If his own, just install a White List execution prevention program and he's safe.
----
rich |
|
Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
·Verizon Online DSL
| said by mysec :I read both the article and blog when they appeared. I've tested many times with my XP laptop and have never found the mountpoints2 entries to stick once the CD is removed from the drive, or USB drive unplugged. Nick doesn't elaborate on the cache setting, so I don't know what he is referring to. Regarding your friend: is he concerned about his own computer, or government computers? If his own, just install a White List execution prevention program and he's safe. ---- rich It's their own computer they're trying to protect. They've been attacked 3 times in recent days, and there's a concern that sooner or later their AV may not hold against the flood... the most recent attack was related to an autorun-triggered Win32/PSW virus varient that only made it onto their AV's signature list three days or so before the attack occurred.
There seems to be a number of things that affect the vulnerability of a computer to autorun-related malware. Obviously, Brown and Dunn seem to think there's a way for the MountPoints2 key to over-ride other settings. Your experience seems to show otherwise. It's never easy, is it? 
I guess I need to dig more deeply into the whitelisting approach... though I'm not sure how easy that will be for them to acquire and install where they are.
--
If God wanted us to work with electrons, He'd make them big enough to see... |
|
